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Network Device 


What is a Hub? 

Hub is a layer 1 device that connects multiple computers. Hub is usually terms as ‘dumb’ device because it 
broadcasts all the data to every port. 

What is a Switch? 

Switch is a layer 2 device that connect two or more computers. 


Switch can decide which computer is the message intended for and send the message directly to the right 


computer (instead of a broadcast). 


What is a Router? 
Router is a layer 3 device that connect 2 or more networks. 


Routers can calculate the best route for sending data from one point to another using routing protocols. 
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What are the ranges of Private IP? 


Private IP addresses are also called as Non-Routable IP Addresses. 


The ranges are 


e ClassA 10.0.0.0 - 10.255.255.255 
e Class B 172.101.250 
e Class C 192.1 Gee. 168.255.253 
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CIDR format 


10.0.0.0/8 


17Z.16,0:0/ 12 


192.168.0.0/16 
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What is NAT? 


NAT Stands for Network Address Translation 


It is the process of converting one IP to another. Usually a Private IP to a Public IP and vice versa. 


What is PAT? 
PAT stands for Port Address Translation 


PAT permits multiple devices on a LAN to be mapped to a single public IP address. The goal of PAT is to 
conserve public IP addresses. 


Example: 
If traffic to|100.20.30.40ļis coming on Port 22 > NAT that to 10.10.5.6 (A Linux server) 
If traffic to|100.20.30.40ļis coming on Port 443 > NAT that to 10.10.5.7 (Web server) 
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Commonly used Port Numbers 


Telnet 


SSH 


SMTP 


DNS 


DHCP 


HTTP 


POP3 


NTP 


NetBIOS 


IMAP 
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File Transfer Protocol 

Telnet 

Secure Shell 

Simple Mail Transfer Protocol 
Domain Name System 

Dynamic Host Configuration Protocol 
Hyper Text Transfer Protocol 

Post Office Protocol 

Network Time Protocol 

NetBIOS Name Service 


Internet Message Access Protocol 


20721 
23 

22 

25 

53 

67, 68 

80 

110 

123 
1355139 


143 


SNMP 
LDAP 
HTTPS 

MS SQL 
MySQL 
RDP 
Syslog 
TLS Syslog 
SFTP 


Secure SMTP 


Simple Network Management Protocol 
Lightweight Directory Access Protocol 
Secure Hyper Text Transfer Protocol 
Microsoft SQL 

mySQL Database 

Remote Desktop Protocol 

Used to send logs to remote server 
Secure Syslog 

Secure File Transfer Protocol 


Secure Simple Mail Transfer Protocol 
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e How to find the IP address of a machine? 
ipconfig 


e How to find the MAC address of a machine? 
ipconfig /all 


e What is MAC address listed as in Windows machine? 
Physical Address 


e How do you find if DHCP is enabled on a system? 
ipconfig /all 


e How do you find the Default Gateway on the system? 
ipconfig /all 


e How do you find DNS servers on a system? 
ipconfig /all 


EXPERTS 


C:\>ipconfig /all 


Windows IP Configuration 


Host Name 

Primary Dns Suffix 
Node Type 

IP Routing Enabled 
WINS Proxy Enabled 

DNS Suffix Search List 


Ethernet adapter Ethernet 2: 


Connection-specific DNS Suffix 
Description 

Physical Address 

DHCP Enabled 

Autoconfiguration Enabled 

IPv4 Address 

Subnet Mask 

Default Gateway 

DNS Servers 


Primary WINS Server 
Secondary WINS Server 
NetBIOS over Tcpip 


: Cisco AnyConnect Secure Mobility 
: @0-05-9A-3C-7A-00 


: 10.212.243.19(Preferred) 
> 255.255.248.0 


-212.240.1 
9.44.93 .46 
10.48.94.195 


: 10.44.64.10 
: 190.48.64.117 
: Enabled 


e How do you check if the destination machine is up 
and running or reachable? 


ping 


e How to check if a port is open on the destination 
server? 
telnet 


telnet is done on the port in question. 


e How to get the hostname of a machine? 
hostname 


e How do you check open port on a machine? 
netstat -an 
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C:\>ping 8.8.8.8 


Pinging 8.8.8.8 with 32 bytes of data: 

Reply from 8.5 : bytes=32 time=25ms TTL=53 
Reply from by time=24ms TTL=53 
Reply from bytes=32 time=25ms TTL=53 
Reply from bytes=32 time=24ms TTL=53 


co 


co co œo 
co co co œo 
co co co œo 


co co co 


co 


Ping statistics for 8.8.8.8: 

Packets: Sent = 4, Received = 4, Lost = @ (0% loss), 
Approximate round trip times in milli-seconds: 

Minimum = 24ms, Maximum = 25ms, Average = 24ms 


C:\>telnet 8.8.8.8 53 


(:-\Users\I EUser>hostname 
[Ei1i1Win? 


C:\>netstat -an 


Active Connections 


Proto Local Address 


10.212. 
10.212. 2 
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Explain the difference Between TCP and UDP. 


TCP 7” 


J Transmission Control Protocol User Datagram Protocol 
/ Connection Oriented Connection Less 
ms Acknowledgement for each packet transmitted No Acknowledgement 
g Failed packets are retransmitted No re-transmission 
g Guaranteed delivery Best effort delivery 
J Reliable Unreliable 
/ TCP is slower UDP is faster 
/ Example: HTTP, HTTPS, SMTP, SSH etc. Streaming Videos, VOIP Calls, Online Games etc. 
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Explain 3 way handshake. 


A three-way handshake is a method used in a TCP/IP network to create a connection between two hosts. 


It is a3 step process that requires both the client and server to exchange SYN and ACK (acknowledgment) 
packets before actual data communication begins. 


Process is as Follows: 


e Aclient node sends a SYN data packet to a server it wants to communicate to. The 


objective of this packet is to ask/infer if the server is open for new connections. 


e Ifthe server is willing to communicate to the client (if the port is open) it responds oa. m 
with an ACK packet. p SYN, ACK 
* It also expresses its intention of talking back to the client with its SYN packet. ACK 
* Together it is SYN/ACK ” 


e The client node responds with an ACK for the server's SYN. 


Upon completion of this process, the connection is created and the 


host and server can communicate. 
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Explain Packet Structure. 


A packet has 3 main sections TCP/IP Packet 
- IP Header 


œ 
á [C tdentiticaton — |r| ___FregmentOfiset___ 
e TCP Header a " 
e Payload = Source Addres / 
Few of the important fields in the packets are | 
* Source IP eee cabbie ted 
- . ce 
e Destination IP a Acknowledgement Number 
e Source Port + 
O 
e Destination Port 7 
Checksum Urgent Pointer 
* TCP Flags TCP Options 


e Data 


PAYLOAD 
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Explain TCP Flags. 


In TCP connection, flags are used to indicate a particular state of connection. 


There are 6 Flags in a TCP Header 


LL  d6hlU6L6 ee Packet 


| Version | | IHL Type of Service Total Length 


a It is used in first step of connection establishment phase or 3-way 4 O M ldentification =| M Fragmentofiset | 
SAN Gynchronization) handshake process between the two hosts. 3 Em 
2 
ACK (Acknowledgement) It is used to acknowledge packets which are successful received by 
the host. | 
FIN (Finish) It is used to request for connection termination i.e. when there is no ource Por on Por 
more data from the sender, it requests for connection termination. Sequence Number 
a 
ra) do 
. . * . SS 
It is used to terminate the connection if the RST sender feels i 
RST (Reset) something is wrong with the TCP connection or that the conversation 5, Ej DN 
should not exist a 


SE | 
Urgent Pointer 


It tells the receiver to process these packets as they are received TCP Options 
instead of buffering them. 


PSH (Push) 


PAYLOAD 


Data inside a segment with URG = 1 flag is forwarded to application 
URG (Urgent) layer immediately even if there are more data to be given to 
application layer. 
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Explain OSI Reference Model. 


Layer 
L P | 
HEIS T (Protocol an Unit) 


Interface between User and Computer. It provides services to the user. 


7 APPLICATION e Applications produce the data, which has to be transferred over the - HTTP, SMTP Data 
network. 
e The data from the application layer is extracted here and manipulated as 
per the required format to transmit over the network. r JPEG, MPEG, 
p pReye naar e Translation (ASCII to HEX) * Encoding/Decoding TES, Sot aes 
* Encryption/Decryption * Compression 


e It provides reliable message delivery from process to process 
e Ensures that messages are transmitted in the order in which they are sent 
z Ut lh and there is no duplication of data. p ieee SEEMENtS 


e Itis also responsible for error control and flow control 


* Network layer works for the transmission of data from one host to the 
other located in different networks. Routers, 


3 NETWORK * Takes care of packet routing i.e. selection of the shortest path to transmit Firewall, IPS oo Packets 
the packet, from the number of routes available. 
e The data link layer is responsible for the node to node delivery of the 
message. 
2 DATA LINK ' It does Framing, error control, flow control etc. h ARP ErameE 


Data Link Layer is divided into two sub layers : 
e Logical Link Control (LLC) 
e Media Access Control (MAC) 
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Explain OSI model with an example. 


Lets discuss how email flows between sender and recipient using OSI model. 


1. Sender uses an application like Outlook to compose and send the email. - APPLICATION 

2. The email is encoded, encrypted (if enabled) and compressed. - PRESENTATION 
3. The sending server initiates the connection with the receiving server. - SESSION 

4. The entire email flows is done error free, receiving acknowledges. - TRANSPORT 

5. Each packet will be routed from sender email server to recipient email server. - NETWORK 

6. Node to Node transmission happens using next hop’s MAC address. - DATA LINK LAYER 
7. All the data is transmitted as bits through cables or wireless signals. - PHYSICAL 


One the recipients side, the data moves from cable to users machine, where the presentation layer will take 
care of decoding, decrypting and decompressing the data. Finally the Outlook application will display the 
message to the recipient 
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Explain TCP/IP Model 


OSI is a reference model, where as TCP/IP model is a practical model. The functions remain the same, but few 


of the layers gets merged in TCP/IP model. 


OSI MODEL TCP/IP MODEL 
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What is DNS and how it works? 


DNS stands for Domain Name System. 


It is a service that helps in translating domain names to IP addresses and vice versa. 


How DNS works? 


e When a computer needs to reach to a domain (like facebook.com) it LW > = mula EE EE AER 
sends a request to a server called DNS Resolver (DNS server). If the — 10 E 
mapping is found for the domain in the DNS cache, the server returns 
the IP address. If not, 1 8 = Boot Server 
e The Resolver reaches out to Root Server. Root Servers hold the index Í = 
of a Top Level Domains. There are 13 root servers globally. = a = 
» TLD Name Server gives the IP address of the Authoritative Name Server SS — —— fay TLD Name Server 


that holds the mapping for the requested domain name. 
DNS Resolver 6 
Le 
e Ifthe Authoritative Name Server has access to the requested record, 7 = Authoritative Name Server 
it will return the IP address 


e This address is return to the client that made the original request. 


e The client now makes the request to the IP address and get the response 
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DNS follow-up questions. 


Does DNS use UDP or TCP? 


DNS uses both TCP and UDP 
UDP for DNS Queries 


TCP for Zone Transfers 


DNS Records Types. 


A (Host address) 

AAAA (IPv6 host address) 

ALIAS (Auto resolved alias) 

CNAME (Canonical name for an alias) 
MX (Mail eXchange) 

NS (Name Server) 

PTR (Pointer) 

SOA (Start Of Authority) 

SRV (location of service) 

TXT (Descriptive text) 
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What is DHCP and how it works? 


DHCP stands for Dynamic Host Configuration Protocol. 


DHCP server automatically assigns an IP address and other information to each host on the network so they 


can communicate with other endpoints. 


How DHCP works? 
DHCP works on a process called DORA. 


e When a computer that is configured to get the IP details 
automatically is powered on, it sends DHCP DISCOVER message to DISCOVER 
all hosts — 
i < OFFER eel 
- After the DHCP Server receives discover message it suggests the IP cas 
, , REQUEST _ __ 
addressing offering to the client host by unicast. 
This OFFER message contains: IP Address, Subnet mask, Default < ACKNOWLEDGE 
Gateway, DNS and Lease period CLIENT DHCP SERVER 


e Now after the client receives the offer it requests the information 
officially sending REQUEST message to server this time by unicast. 

e Server sends ACKNOWLEDGE message confirming the DHCP lease 
to client. Now client is allowed to use new IP settings. 
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DHCP follow-up questions. 


What will the IP address of the client machine when it sends DISCOVER message? 


The Source IP will be 0.0.0.0 


How does client knows the IP address of the DHCP Server, to send a Discover message? 


The client would not be knowing the DHCP address, hence it broadcasts the Discover message. i.e. Destination IP will be 255.255.255.255 


What happens if no DHCP server is available on the network? 


The client gets an IP is the APIPA (Automatic Private IP Addressing) range. The range is between 169.254.0.0 - 169.254.255.255 


What happens when the DHCP server runs out of IP addresses? 


When you start running out of addresses, your subnet is said to be oversubscribed. Then the DHCP server refuse to assign an IP address 


until a device in the network releases an IP address and makes it available again or the lease time expires. 
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Explain ARP. 


ARP stands for Address Resolution Protocol. 


It helps to resolve an IP address to physical address (MAC Address) 


How ARP works? 


1. When a source device want to communicate with another device, source device checks its Address Resolution Protocol (ARP) cache to find 
it already has a resolved MAC Address of the destination device. If it is there, it will use that MAC Address for communication. If not, the 


source broadcasts the Address Resolution Protocol (ARP) request message to the local network. 


2. The message is received by each device on the LAN since it is a broadcast. When the destination device receives the ARP request, it will 


send the Address Resolution Protocol (ARP) reply message to the source as a unicast. 


3. The source machine will update its Address Resolution Protocol (ARP) cache. 
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What are proxy servers and how do they protect computer networks? 


Proxy servers processes the request on behalf of other machines. The IP address is converted by NAT process. 


Proxy servers primarily prevent external users from identifying the IP addresses of an internal network. 
Without knowledge of the correct IP address, even the physical location of the network cannot be identified. 


Proxy servers can make a network virtually invisible to external users. 
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When you use a proxy, is DNS query done by client or Proxy server? 


It depends on the type of proxy being used. 


If it is a Simple IP proxy, then the client will do a DNS query, resolve the destination domain name and send 


the request to proxy. 


If the proxy is a HTTP proxy (Web Proxy), the client directly send the request to proxy. Proxy requests for DNS 


resolution and forward the traffic. 
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Few random questions 


Can you connect 2 computer directly? 
Yes, with the help of cross-over cables. 


I give you a new laptop, explain how you will connect to internet. 


e Assuming the OS is already installed. | will look to assign the IP details like 
IP Address 
Subnet Mask 
Default Gateway 
DNS Server 
e | will get these details from the network engineer who has designed the network. 
e Alternately, if | there is a DHCP server in the network, | will configure the new laptop to automatically get the IP details. 
e Then I ping any public IP like 8.8.8.8 to confirm if the laptop is able to reach the internet 
* Also, ping any URL like www.google.com to check if DNS is working fine. 


ICMP works on which layer? 
ICMP works on Layer 3. 


What port does ping use? 


Ping uses ICMP(Internet Control Message Protocol). it does not use TCP or UDP. To be more precise ICMP type 8 (echo request message) 
and type 0 (echo reply message) are used. ICMP has no ports. 
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What happens when you type-in an URL (like www.goolgle.com) in your browser and press 


enter? 


When you type in www.google.com into the address bar of browser, 


1. The client needs to finds the IP address of the URL (in this case google.com). 
1. Browser check for if its cache to see if it has the IP address for entered domain 


2. If there is no IP mapping, it will check in OS cache. 


3. If the OS cache also doesn't have the IP address, the client initiates a DNS request to the configured DNS server. 
2. Once the client has the IP address of the URL, the browser initiates a TCP connection with the server. 
3. The browser sends an HTTP request to the webserver. 
4. The server handles the request and sends back a response. 


5. The browser displays the HTML content 
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Firewall related questions. 


What is Firewall? 
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules (ACL - Access 
Control List). Traditional firewalls works at Layer 3 and Layer 4. 
When we can write ACLs in Router, why we need a Firewall? 
Primary function of a router is to route the traffic. If we add packet filtering functions on to the router, it will slow down the network. 
Hence it is a good practice to separate filtering and routing functionality 


What is DMZ? 
DMZ stands for DeMilitarized Zone. It is a network segment used to host public facing servers. The DMZ isolates the public facing servers from internal servers. 
So if the servers in DMZ are compromised, the attack doesn't spread to internal network. 

What is Implicit Deny? 
If traffic is not explicitly allowed within an access list then by default it is denied 


What is the difference between Firewall Deny and Drop? 
When the firewall is set to Deny a connection, it blocks the connection and sends a Reset (RST) packet to the requester (source). 
When the firewall is set to Drop a connection, it just drops the requests without giving any message to the requester. 
It is good practice to Deny outbound traffic and Drop inbound traffic, so the attacker will not know the presence of the Firewall. 


What is Stateful Inspection? 
A stateful firewall maintains a table of active connections it has allowed in a State Table. Further packets associated with the session are permitted to pass 
through the firewall. 

What is VPN? 


A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across public networks as if they 
were directly connected to the private network. 


There are 2 types of VPN: Site-to-Site VPN - Used to connect two office locations. Remote VPN - Used by users to connect to corporate network 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna BY 


anand guru 


EXPERTS 


EXPERTS 


IPS/IDS related questions. 


What is IDS? 


An Intrusion Detection System is a network security solution that detects the malicious traffic based on the signatures. IDS systems compare the current 
network activity to a known threat database (network signatures) to detect several kinds of behaviors like security policy violations, malware, and port scanners. 


Difference between IPS and IDS. 
IDS scans the traffic and detects malicious traffic and report it to the admin based on network signature. 
IPS scans the traffic, detects and can also block (prevent) the malicious traffic based on network signatures. 


Explain IDS Signature syntax. 


alert icmp any any -> $HOME_NET any/|(msg:”ICMP test”; sid:1000001; rev:1; classtype:icmp-event; ) 


Rule Header Rule Options 

alert - Rule action. Snort will generate an alert when the set condition is met. msg:”ICMP test” - Snort will include this message with the alert. 
any - Source IP. Snort will look at all sources. sid:1000001 - Snort rule ID. 
any - Source port. Snort will look at all ports. rev:1 - Revision number. This option allows for easier 
-> - Direction. From source to destination. rule maintenance. 
$HOME_NET - Destination IP. We are using the HOME_NET value from the classtype :icmp-event - Categorizes the rule as an “icmp-event”, 

snort.conf file. one of the predefined Snort categories. 
any - Destination port. Snort will look at all ports on the protected network. 


Difference between IPS and Firewall. 
A firewall inspects TCP/IP header working on ACLs. 
IPS does deep packet inspection (checks both header and payload) using network signatures 


Where do you place IPS? 


An IPS is usually placed after the Firewall. Firewall does the heavy lifting of blocking all the unwanted traffic based on TCP/IP header. And of the traffic that is 
allowed, IPS will do deep packet inspection. Because of this IPS needs more processing power than a firewall. 


If IPS is placed first, it will unnecessarily do deep packet inspection on all the traffic, while a good amount of traffic could have been blocked just by inspecting 
TCP/IP header with a packet filtering device like Firewall. 
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Questions on Linux commands 


CS aa E 


1 


2 


3 


4 
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Change Directory 

How do you check running process? 
Disk statistics. 

How do you find a file on Linux? 
How do you kill a process in Linux? 


How do you get help on a command? 


Create a new directory 

Change password 

Present working directory 

How do you open a text file to see the latest (last lines) during troubleshooting? 
How do you display data regarding RAM and CPU? 

Packet capture 


How do you find the IP address on a Linux machine? 


cd 

ps auxf 

df -h 

find / <name_of file> 
kill -9 <process_id> 


man top 
top --help 


mkdir <new_directory_name> 
passwd 

pwd 

tail -f <file_name> 

top 

tcpdump -vvnni eth0 


ifconfig 
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Interview Questions on 
Security Concepts 


What is CIA? 


Confidentiality, Integrity and Availability, also known as the CIA triad, is a model designed to guide policies for 
information security within an organization. The elements of the triad are considered the three most crucial components of 


security. 


Confidentiality means that only the authorized individuals/systems 

can view sensitive or classified information. Encryption 
The data being sent over the network should not be accessed by Access Control 
unauthorized individuals. 


Confidentiality 


Bee Speers 
| IC 


Redundancy 
Availability Ensuring the systems and data is readily available to its users. Backups 
Load Balancers 
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What is Encryption? Explain types of encryption. 


Encryption is the process of encoding information in such a way that only authorized parties can understand it. 


Encryption is done using Keys. 


There are 2 types of Encryption: 


e Symmetric Encryption - Same key is used for encryption and decryption. 


e E.g.: Blowfish, AES, RC4, DES, RC5, and RC6 


e Asymmetric Encryption - Different keys are used encryption and decryption. 


e E.g.: RSA, DSA, Elliptic curve techniques, PKCS. 
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Explain Asymmetric Encryption. 


In asymmetric encryption different keys are used encryption and decryption. 

Typically know as Private Key and Public Key (also referred to as Key Pair). 

Any data encrypted with public key can only be decrypted by the corresponding private key. 
Example: 

e A server keeps a key-pair. The public key is issued to all the users who request a connection. 
e At the user's end, the application encrypts the data using the server provided public key. 


* Once the encrypted message reach the server, the server decrypts the message using its private key. 


Private G= Public o= e 
m 
® 
Private E a = Eà Public Key 
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What is Hashing? 


e Hashing is the transformation of a string of characters into a fixed-length value or key that represents the 


original string. 
A 
ABCDE — | “ee 2ECDDE3959051D913F61B14579EA136D 


e Hashing is one-way. i.e. it is not possible to get the data back from the hash value. 


e Hashing is used to ensure the integrity of the data. 


Ee; 
e MDS - 32 Hexadecimal characters 
e SHA-1 - 40 Hexadecimal characters 


e SHA-256 -64 Hexadecimal characters 
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Explain difference between Encryption and Hashing. 


a s 


Encryption is the process of encoding information in such a way that 
only authorized parties can understand it. 


Two-way. i.e. we can get the data back by decryption 
Used to ensure confidentiality 


Algorithms: AES, DES, Bluefish 


Hashing is the transformation of a string of characters into a fixed- 
length value or key that represents the original string. 


One-way. i.e. we cannot get the data back from hash value 
Used to ensure integrity 


Algorithms: MD5, SHA-1, SHA-256 
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What is Vulnerability, Risk, Threat and Exploit? 


Weaknesses or gaps in a security program that can be exploited by threats to gain 


Vulnerability unauthorized access to an asset. 


The potential for loss, damage or destruction of an asset as a result of a threat exploiting a 


RISK vulnerability. 


Th Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or 
reat destroy an asset. 


Exploit The tool or mechanism used to take advantage of the vulnerability 
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Explain Defense in Depth. 


e Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are 


layered in order to protect valuable data and information. 
e If one mechanism fails, another steps up immediately to thwart an attack. 


e This multi-layered approach with intentional redundancies increases the security of a system as a whole and 


addresses many different attack vectors. 


Policies, Procedures, 
Awareness 


| Application | 
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What is System Hardening? 


Systems hardening is a process of securing a system by reducing its attack surface. 


Few things on the system hardening checklist include: 
e Changing the default user credentials 
e Closing all unused ports 
* Stopping all unused services 
e Install updates and patches 
e Implement Access Control 


e Install Antivirus and keep the signatures up-to-date 
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What is Zero Trust Model. 


Zero trust security is an IT security model that requires strict identity verification for every person and device 


trying to access resources on a private network, regardless of whether they are sitting within or outside of the 
network perimeter. 
Few principles of zero trust model are: 

e Assume there are attackers both inside and outside the network 

e Concept of least privilege 


e Use Multi Factor Authentication wherever possible. 
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Explain Kerberos. 


Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow systems to 


prove their identity to one another in a secure manner. 


— 


a 


Here are the most basic steps taken to authenticate in a Kerberized environment. 
Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC) 
The KDC verifies the credentials and sends back an encrypted TGT and session key 
The TGT is encrypted using the Ticket Granting Service (TGS) secret key 
The client stores the TGT and when it expires the local session manager will request another TGT (this process is 


transparent to the user) 


If the Client is requesting access to a service or other resource on the network, this is the process: 
The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to 
access 
The KDC verifies the TGT of the user and that the user has access to the service 
TGS sends a valid session key for the service to the client 


Client forwards the session key to the service to prove the user has access, and the service grants access. 
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If budget is not a concern how do you secure a web server? 


If budget is not a concern a web server can be secured by deploying the following technologies 


Network Security 
Anti-DDOS technology 
Firewall (To block traffic on unnecessary ports) 
Intrusion Prevention System 

e Web Application Firewall 

Host Security 

e Antivirus 


HIPS/Host Firewall 


Application control (To restrict the processes running) 


Apart from these preventive technologies, we should implement System Hardening and also enable log 
monitoring on the Web servers. 


Also, the web application should be thoroughly tested by application penetration testing methods. 
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What do you understand by compliance in Cybersecurity? 


A compliance framework is a structured set of guidelines that details an organization's processes for 


maintaining its cyber security. 


There are industry specific compliances like: 


PCI-DSS - To protect credit card data. (Banks and E-commerce) 

HIPAA - To protect patients health information. (Hospitals and Insurance companies) 
SOX - Public listed companies 

GDPR - European companies and business that run in European countries. 
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Hackers and their motivation 


Different types of Hackers 
e White Hat Hackers 


e White hat hackers are authorized hackers who work for the government and organizations by performing penetration testing 
and identifying loopholes in their cybersecurity. 


e Black Hat Hackers 
e Black Hat Hackers are hackers who hack for malicious intentions. Like financial gains. 
e Grey Hat Hackers 


e Gray hat hackers fall somewhere in the category between white hat and black hat hackers. They are not legally authorized 
hackers. They work with both good and bad intentions; they can use their skills for personal gain. 


e Script Kiddie 
e A Script kiddie is an unskilled person who uses scripts or downloads tools available for hacking provided by other hackers. 
e Hacktivist 


e Hacktivist is a hacker or a group of anonymous hackers who gain unauthorized access to government's computer files and 
networks for further social or political ends. 


e State/Nation Sponsored Hackers 


e State or Nation sponsored hackers are those who are appointed by the government to provide them cybersecurity and to gain 
confidential information from other countries to stay at the top or to avoid any kind of danger to the country. 


e Malicious Insider or Whistleblower 


e A malicious insider or a whistleblower could be an employee of a company or a government agency who gains 
access/knowledge of inside operations which he speculates to be illegal and threatens to go public. 
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Few Random questions. 


If you had to both compress and encrypt data during a transmission, which would you do first? 


- Compress first (to reduce the size) and then Encrypt. Encryption on more data will take longer time. 


Between TLS and SSL, which is more secure? 


- TLS. SSL is the predecessor of TLS 


What is Zeroday? 


- A vulnerability or a malware that has be identified but doesn’t have a fix (patch or signature) yet. It is the time period 


between a vulnerability/malware being identified and release of patch/signature. 


Difference between VA and PT. 
- Vulnerability Assessment is a process of identifying the vulnerabilities in a system or network. 


Penetration Testing is to go one step ahead of identifying the vulnerabilities and exploit the vulnerability. 
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Interview Questions on 
Cyber Attacks 


What is Cyber Kill Chain? 


e Research, identification and 
selection of targets 


Cyber Kill Chain defines the steps used by an attacker to 


e Pairing remote access malware 


with exploit into a deliverable 


launch and carry-out a cyber attack. E 
= WEAPONIZATION  ~ navioad 


It is defined by Lockheed Martin 


e Transmission of weapon to a 
target 


It has 7 phases 


e Weapon's code is triggered, 
exploiting the vulnerable 
applications 


e The weapon installs a backdoor 


* The compromised machine talks 
to the attackers machine 


* Ultimate goal of the attack 


anand guru 


EXPERTS 


What is MITRE ATT&CK Framework? 


The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat hunters, red 


teamers, and defenders to better classify attacks and assess an organization's risk. 


It highlights 12 Tactics and more than 250 Techniques that attackers use 
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What are TTPs? 


TTPs stand for Tactics, Techniques and Procedures 


TTPs are patterns of activities or methods associated with a specific threat actor or group of threat actors. 
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What is Zeroday? 


A vulnerability or a malware that has be identified but doesn't have a fix (patch or signature) yet. 


It is the time period between a vulnerability/malware being identified and release of patch/signature. 


SOC BJ 


EXPERTS ana 


What is an exploit and payload? 


Exploit is a tool that takes advantage of a vulnerability. Usually exploit is used to penetrate into a system taking 


advantage of an existing vulnerability. 


Example - EternalBlue that took advantage of SMB vulnerability 


Payload is the actual malware. Part of the malware that does the damage (deleting files, stopping services, 


encrypting files, gathering and sending sensitive information, taking pictures etc.) 


Example - WannaCry used EnternalBlue as exploit and had the ultimate intention of encrypting the files and 


demand ransom. 
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Explain Brute-force attack. 


Brute-force is a password guessing attack. It tries various combinations of usernames and passwords again 


and again until it gets in. 


Mitigation: 

- Encourage users to use complex passwords 
- Lockout accounts after few attempts 

- Use Captcha to slow down brute-force 


- Use multifactor authentication 
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Explain Dictionary attack. 


Dictionary attack is type of brute-force attack. It uses a list of words in a dictionary as passwords. 


Dictionary attack can also be personalized by using details of the target like date of birth, spouse name, 


children name, vehicle number etc. 


Mitigation: 

- Advise users not to keep a simple word or easily identifiable information as password. 
- Encourage users to use complex passwords 

- Lockout accounts after few attempts 

- Use Captcha to slow down brute-force 


- Use multifactor authentication 
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Explain Rainbow attack. 


Rainbow attack is a type of brute-force attack that uses pre-computed password hashes. i.e. instead of trying 


to pass the password, it tries to match the hash in the user database. 


Mitigation: 


Rainbow table attacks can easily be prevented by using salt techniques, 


Salt is a random data that is passed into the hash function along with the plain text. 


Lockout accounts after few attempts 


Use Captcha to slow down brute-force 


Use multifactor authentication 
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What is Pass-the-hash attack 


Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by 
using the underlying hash of a user's password, instead of requiring the associated plaintext password as is 


normally the case. 


This will reduce the effort of the attacker as he does not have to crack the plaintext password from the stolen 
hash. 


Mitigation: 


- Restrict and protect high privileged domain accounts 


- This mitigation reduces the risk of administrators from inadvertently exposing privileged credentials to higher risk computers. 


- Restrict and protect local accounts with administrative privileges 


- This mitigation restricts the ability of attackers to use administrative local accounts for lateral movement PtH attacks. 


- Restrict inbound traffic using the Windows Firewall 


- This mitigation restricts attackers initiating lateral movement from a compromised workstation by blocking inbound connections on 


all other workstations with the local Windows Firewall. 
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What is Scanning? 


Scanning is a method for discovering exploitable communication channels. 
Scanning for open ports 


Scanning for known vulnerabilities 


Mitigation: 
- Use Firewall and IPS 
- OS Hardening 


- Use honeypots to detect scanning activities 
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What is Sniffing Attack? 


Sniffing corresponds to theft or interception of data by capturing the network traffic when it flows through a 


computer network. 


Usually done using a packet sniffer 


Mitigation: 


- Avoid using insecure protocols (like HTTP, FTP, telnet etc. and use secured versions like HTTPS, SFTP, SSH 


etc.) 


- Use encryption whenever possible for data transmission. 
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What is Spoofing? 


Spoofing is a malicious practice employed by cyber scammers and hackers to deceive systems, individuals, and organizations 


into perceiving something to be what it is not. 
Few types of Spoofing 

e IP Spoofing 

e MAC Address Spoofing 

e Email Spoofing 


e DNS Spoofing 


Mitigation: 
- Deploy IPS (IP Spoofing) 
- Educate users (Email Spoofing) 


- Enable port level security (ARP and MAC Address Spoofing) 
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Explain Phishing. 


e Phishing is a cyber attack that uses disguised email as a weapon. 
e The goal is to trick the email recipient into believing that the message is something they want or need 
e Example: a request from their bank, for instance, or a note from someone in their company 


e Ultimate intention is to get the user to click a link or download an attachment. 


Mitigation: 
- Use Email Security Solutions (to block obvious phishing and spam emails) 
- Educate users 


- Use DMARC (Domain-based Message Authentication, Reporting and Conformance) 


DMARC is a standard for verifying the authenticity of an email. It offers email receivers a way to verify if a message is really from a autorized sender or not. 
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Other Phishing Attacks 


Explain Spear Phishing. 
Spear phishing is an email scam targeted towards a specific individual, organization or business. 


Attackers use the information they have gathered during reconnaissance to make the email appear 


personalized. 


Explain Whaling. 
Whaling is a type of phishing that targets senior management/leadership teams/important individuals at an 


organization 


Explain Vishing. 
Vishing works similar to phishing, instead of sending and email, the attacker tricks the target to give 


critical/sensitive information over phone call 
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Explain DOS and DDOS attack. 


Denial-of-Service (DOS) is a type of cyberattack in which the attacker seeks to make a machine or network 


resource unavailable to its intended users by temporarily or indefinitely disrupting services. 


Examples: 


UDP floods, ICMP floods, SYN floods, fragmented packet attacks, Ping of Death etc. 


Distributed Denial-of-Service (DDOS) is a type of attack where multiple systems are used to launch DOS 


attack on one targeted system. 
Usually DDOS are result of multiple compromised systems (called Botnets) 
Mitigation: 

Use Anti-DDOS technology (like Arbor) 

Rate limit (limit the number of connections from an IP or User) 

Reduce connection wait time 


Deploy load balancers 
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Explain SYN flood attack. 


SYN Flood attack is a type of DOS attack where it exploits the normal TCP three-way handshake. 


The attacker send huge connection requests (SYN) but never sends an acknowledge back to the sever. This will 
make the server wait for certain time and hold the connection. This will consume all the concurrent 


connections on the target server making it inaccessible for legit users. 


Attacker ——— 
a pa Open port. Waiting for ACK’ 
—— Open port. Wai for ACK 
Open port. Waiting for ACK’ 
Mitigation: Open port. Waiting for ACK’ 
. 


- Use Anti-DDOS technology (like Arbor) Visitor 
- Rate limit (limit the number of connections from an IP or User) 
- Reduce connection wait time 


- Deploy load balancers 
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Explain ARP poisoning. 


e Also called as ARP Spoofing 


e ARP poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an 


attacker’s MAC address with the IP address of a legitimate computer or server on the network. 


e It is used to do a Man-in-the-Middle attack 


Mitigation: 
Use Static ARP 
Detect ARP poisoning using tools like XARP 
Set up Packet filtering 


Install AV and keep signatures updated 
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Explain MITM attack. 


Man-in-the-Middle is an attack where the attacker secretly relays and possibly alters the communications 


between two parties who believe that they are directly communicating with each other. 


Mitigation: 
- Use Static ARP (to prevent ARP poisoning) 
- Use Encryption (prevent the attacker from leveraging the data) 


- IPS system (can detect sudden change in the network performance) 
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Explain DNS Poisoning. 


e Also called as DNS Spoofing 


e Type of cyberattack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic 


away from legitimate servers and towards fake ones. 


e This is done by introducing corrupt (poisoned) DNS data into DNS Resolver's Cache. 


Mitigation: 
Regularly audit DNS Zones 
Keeping DNS Servers up-to-date. 
Restrict Zone Transfers 
Limit recursive queries. 


Store only data related to the requested domain. 
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What is DNS Tunneling? 


e DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols 


in DNS queries and responses. 
e Usually DNS traffic is allowed through firewalls and attackers take advantage of this. 


e It is used for data exfiltration (without being detected) 


Mitigation: 
IPS Systems can help detect few DNS Tunneling attacks 
Block communication to IPs that are known to be used for data exfilteration 
Use DNS firewall 


Deploy standalone DNS protection solution (Like Infoblox) 
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What is a malware? 


e Malware is a (malicious) software intentionally designed to cause damage to a computer or computer 


network. 


e The malicious activities include 
Deleting files 
Encrypting files 
Gain access of the infected machine 
Collecting and sending sensitive data 
Stopping services 


System shutdown etc. 
Mitigation: 
- Use AV with up-to-date signature 


- Use Ad-blockers 


- Educate users not to download files from unknown sources 
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Explain different Types of Malware. 


Virus: Viruses attach themselves to clean files and infect other clean files. Their intention is to damage a system's core 
functionality and deleting or corrupting files. They usually appear as an executable file (.exe). 

Trojans: This kind of malware disguises itself as legitimate software but has malicious intent. It tends to act discreetly and 
create backdoors in your security to let other malware in. 

Worms: Worms infect entire networks of devices, either local or across the internet, by using network interfaces. It uses 
each consecutively infected machine to infect others. 

Spyware: Spyware is malware designed to spy on you. It hides in the background and takes notes on what you do online, 
including your passwords, credit card numbers, surfing habits, and more. 

Ransomware: This kind of malware typically locks down your computer and your files, and threatens to erase everything 
unless you pay a ransom. 

Adware: Though not always malicious in nature, aggressive advertising software can undermine your security just to serve 
you ads — which can give other malware an easy way in. Plus, they end up consuming system resources 

Botnets: Botnets are networks of infected computers that are made to work together under the control of an attacker. 


RAT: Remote Access Trojan - Type of malware that allows an attacker gain unauthorized remote access of victim's machine 
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Difference between Virus and Trojan and Worm? 


Virus: Viruses attach themselves to clean files and infect other clean files. A user action (like execution) is 


required for the virus to run. 


Trojans: They appear as useful programs, but have malicious intentions. Trojans are usually used to trick the 


user into performing certain action (like execution) 


Worms: Worm spread in the network without user actions. They spread by 
e Attached external storage 
e Available open network shares 


e Email (a worm can automatically send a copy of itself to all the users in your address book) 
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What is drive-by-download? 


e A drive-by download refers to the unintentional download of malicious code onto a computer or mobile 


device that exposes users to different types of threats. 


e In this type of attack, users need not click on anything to initiate the download. Simply accessing or 


browsing a website can activate the download. 


e Drive-by download happens by taking advantage of insecure, vulnerable, or outdated apps, browsers, or 


even operating systems. 
Mitigation: 
- Encourage users to keep their software up to date 
- Install AV that is capable of scanning internet traffic 
- Install web-filtering software. 
- Restrict add-ons on browsers. 
- Educate users not to visit untrusted websites. 
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What is fileless malwares or fileless attack? 


e Fileless malware sneaks in without using traditional executable files as a first level of attack. 


e Rather than using malicious software or downloads of executable files as its primary entry point onto 


corporate networks, fileless malware often hides in memory or other difficult-to-detect locations. 
e Uses living-off-the-land techniques 


e Fileless malware leverages trusted, legitimate processes running on the operating system to perform 


malicious activities. 


¢ Simply put, fileless malware run on RAM (memory-based) and doesn't have any trace on the Disk (file- 
based). This makes it impossible for a traditional antivirus which rely on signatures to detect a malware. 
Mitigation: 
Use EDR tools to monitor and detect suspicious activities. 


Disable command line shell scripting language, including PowerShell and Window Management instrumentation, wherever it's not needed 
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What is OWASP? 


The Open Web Application Security Project (OWASP) is an online community that produces articles, 


methodologies, documentation, tools, and technologies in the field of web application security. 


Every year OWASP announces List of Top 10 Vulnerabilities for Web Applications - OWASP Top 10 


As of 2019, top 10 web application attack/vulnerabilities are: 


¢ Injection e Security Misconfiguration 

e Broken Authentication e Cross-Site Scripting 

e Sensitive Data Exposure e Insecure Deserialization 

e XML External Entities (XEE) e Using Components With Known Vulnerabilities 
e Broken Access Control e Insufficient Logging And Monitoring 


SOC BJ 


EXPERTS ana 


Explain SQL Injection. 


SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field 


for execution. 


These SQL statements control a database server behind a web application. By executing malicious statements, 


the attacker can gain unauthorized access, copy, modify or delete the data. 


Example of malicious SQL Statement: ' OR '1'='1' -- 


Mitigation: 
Input validation 
Sanitize all inputs (like remove quotes and special characters) 
Use IPS and WAF solutions 


Turn off visibility of Database errors on production servers 
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Explain Cross Site Scripting (XSS). 


Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in 


a web browser of the victim by including malicious code in a legitimate web page or web application. 


Usually happens where there is a text message box in the website. Like comments for a blog. 


Mitigation: 
Input validation 
Sanitize all inputs (like remove quotes and special characters) 


Encode data on output. 
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Explain Cross Site Request Forgery (CSRF). 


e Also called as one-click attack or session riding 


e Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web 


application in which they're currently authenticated. 


Example: 


User A is connected to a banking website - www.mybank.com 
Attacker tricks the user into downloading and executing a code. 
This code will send request to www.mybank.com to transfer money to attackers account. 


In this case the banking website performs the request because it see the request coming from User As machine who is already 


authenticated with the server. 


Mitigation: 


- Synchronizer token pattern 


- Cookie-to-header token 


- Double Submit Cookie 
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Explain Broken Authentication. 


Broken Authentication weaknesses can allow an attacker to either capture or bypass the authentication methods that are 
used by a web application. 

e Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. 

e Permits brute force or other automated attacks. 

e Permits default, weak, or well-known passwords, such as "Password" or "admin/admin”. 

e Uses weak or ineffective credential recovery and forgot-password processes. 


e Uses plain text or weakly hashed passwords 
Mitigation: 


- Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use 


attacks. 
- Do not ship or deploy with any default credentials, particularly for admin users. 
- Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords. 


- Lock user accounts after certain failed attempts 
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Explain Broken Access Control. 


Broken Access Control is a weakness in web application that will let the users do more than what they are 


authorized. Example, user A can see the details of user B. 


Broken Access Control vulnerabilities often lead to 
e unauthorized information disclosure 
e modification or destruction of all data 


* performing a business function outside of the limits of the user. 


Mitigation: 
- Deny access to functionality by default. 
- Use Access control lists and role-based authentication mechanisms. 


- Log access control failures, alert admins when appropriate (e.g. repeated failures). 
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DISCLAIMER 


e Most of the questions and their answers discussed in this section are subjective. 
e Different companies follow different processes. 
e I believe there are no correct or wrong answers for these questions. However there might 


be better answers than the ones discussed here. 


Explain the SOC Team Architecture/Hierarchy 


@ © 
SOC Manager aa 


Threat Intelligence Threat Hunter 


L3/SOC Lead @ © 


Incident Handler Forensic Investigator 


L2 Security Analyst 


FÀ a> L1 Security Analyst IR Automation Engineer Red Team Specialist 
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Roles and Responsibilities of L1/L2 Security Analyst in SOC. 


Security Analyst L1 


24/7 Eyes-on-Glass monitoring 

Analysis of triggered alerts (usually following a Runbook) 
Raising tickets for validated incidents 

Follow-up with incident response team for remediation 
Drafting shift hand-overs 

Assist L2/L3 in reporting 


Security Analyst L2 


EXPERTS 


Deep dive analysis of escalated alerts 

Assist in Incident Remediation 

Assist L1 in alert analysis 

Maintaining and improving SOPs and processes 


Troubleshoot basic SIEM issues 
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As SOC Lead/SIEM Admin what are your responsibilities? 


8. 


g. 


Installing, updating, upgrading SIEM solution. 

On-boarding log sources and working on log source issues. 

Create and fine-tune content in SIEM - Correlation Rules, Dashboards, Reports, Lists etc. 
Interact with SIEM vendor TAC (support) to fix any issues with SIEM. 

Install, Manage and build content in SIEM. 

Mentor L1 and L2 security analyst. 

Assist in analysis that requires involvement of multiple teams. 

Evaluate new solutions for SOC team. 


Create Run books for all alerts. 


10. Schedule shift rooster. 
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What are the different SOC Models? 


¢ In-house SOC 


An organization runs its own SOC. People, processes and technology are all managed by 


people with-in the organization. 


e MSSP (Managed Security Service Provider)/ MSP (Manager Security Provider) 


Dedicated - A team of people with the service provider work for a client. Here the client 
typically have their own technology i.e. SIEM and other tools will be hosted in clients MSSP Client 


datacenter. 


Shared - A team of people with the service provider monitor and analyze logs coming from 


various clients. In this model the technology is hosted on service providers datacenter 


- Hybrid SOC 


It is a mix of both In-house SOC and MSSP. Typically this is done by out-sourcing the L1 
monitoring to a MSSP and the organization runs L2 and Incident Response team in-house 


a Client C 


MSSP Client 


Client B 


ad Qe 
cain? 


a Client A 
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Which model is better MSSP or In-house? 


Both the models have their advantages and short comings 


In-house SOC is more effective as the organizations can customize everything as per business requirements. 
Since the number of technologies in an organization is limited, the focus will be on getting best value out of 


each solution. However, in-house SOC is very expensive to implement 


MSSP model will reduce the cost of ownership and operational expenses; however, the output of SOC (like 


reports, alerts, recommendation etc.) will be generic. 


Hybrid SOC gives a better result, but it is still expensive to implement. 
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What is SLA? 


e SLA stands for Service Level Agreement 
e In SOC it is mostly the time taken for a SOC team to identify and report a suspicious activity. 


e SLAs are associated with priorities: 


Pt | 30 minutes 
P2 1 hour 
P3 2 hours 
Pa 4 hours 
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Why does a organization need SOC team? 


e One of the main benefits of having a Security Operations Center is that it improves security incident 


detection through constant monitoring and analysis. 
e It shifts to proactive approach, rather than being reactive. 


e Monitoring 24/7, a SOC is able to provide organizations with an advantage to defend against intrusions 


regardless of the type of attack at any time. 


e SOC also helps to meet the regulatory compliances 


When we have Endpoint Security and Network Security, why do we need SOC team? 


e Traditionally all the preventive technologies (like AV, firewall, IPS) work separately and needs dedicated skills 


to manage them. ASOC team helps in correlating activities happening at different parts of the network. 
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What do you document in an Incident? 


Incident Name 


2. Incident Description 

3. Priority 

4. Occurred Time 

5. Detected Time 

6. Reported By 

7. Assigned To 

8. Affected Host/IP/User/Business Unit 
9. Information Gathered 

10. Analysis 

11. Evidence 


12. Recommendations 
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What ticketing tool have you worked on? 


Most widely used ticketing tools are 
e Service Now (SNOW) 

e BMC Remedy 

- JIRA 


e RSA Archer 
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Apart from SIEM what other tools have you worked on? 


Preventive Technologies Analysis Tools Utility Tools 
e Endpoint Security - McAfee ePO or SEPM + IPVOID * Ticketing tool - Service NOW 
* Firewall - PaloAlto or Fortinet e VirusTotal * Process Explorer 
* IPS- SNORT * Wireshark ee ess Monitor 
e Vulnerability Assessment - Nessus * MXToolBox 
* Proxy - Websense e CVEDETAILS 
* Email Gateway - Proofpoint + US-CERT 
e WAF - Imperva Incapsula * IBM X-Force/Threat Crowd 
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What is False Positive? 


e A true positive is an outcome where the model correctly predicts the positive case. 


* Downloaded file is a malware, AV detected it as malware 


e A true negative is an outcome where the model correctly predicts the negative case. 


* Downloaded file is NOT malware, AV did NOT detect it as malware 


e A false positive is an outcome where the model incorrectly predicts the positive case. 


* Downloaded file is a NOT a malware, AV detected it as malware 


e A false negative is an outcome where the model incorrectly predicts the negative case. 


* Downloaded file is a malware, AV did NOT detect it as malware 


e True Positive and Ture Negative are ideal cases; i.e. when solutions are working correctly 
e False Positive - Increases work and lead to alert-fatigue 


e False Negative - Is very dangerous; malicious activity has happened, solution did not detect it. 
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Explain your team in numbers and Hierarchy 


e We have 10 people in our team with 
6 Level 1 Analyst 
2 Level 2 Analyst 
1 Lead & 


1 SOC manager 
e Our team reports to CISO in our company (or client's CISO) 
e L1 analysts monitors network 24/7 and do analysis based on the Playbooks 
e L2 analysts helps in deep dive analysis and also assist L1s in analysis. 


e Threat Intelligence and Threat Hunting responsibilities are shared between L1 and L2 analyst 
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What are the numbers in your SOC? 


No. of Log Source - Around 2800 
No. of Logs/day - 25,000,000 
No. of Alerts/day - 100 - 130 


No. of Incidents/day -2-5 
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What are the different report/dashboard you generate? 


3 major types of reports - Technology Report | SIEM Performance Reports | SOC Performance Report 


Technology Reports 


1. Malware Summary 


e No. of Infections, Hosts Infected, Users, Malware Type, Malware 
Name, Action by AV, File Name and File Path 


2. Firewall Summary 


* Inbound Allow - Source Country, Source IP, Destination IP, 


Destination Port (services) 


* Inbound Deny - Source Country, Source IP, Destination IP, 


Destination Port (services) 


e Outbound Allow - Source IP, Destination IP, Destination Country, 


Destination Port (services) 


Outbound Deny - Source IP, Destination IP, Destination Country, 


Destination Port (services) 


3. Account Management Summary 


e Accounts Created, Deleted, Enable, Disabled, Locked-out 


e Privilege Changes 


EXPERTS 


4. Authentication Summary 


e Successful logons, Failed Logons, Admin Logons etc. 


5. Proxy Summary 
e Top 10 Users, Top 10 Websites, Top 10 Website Categories, Malicious 
Website Access and Action, Malicious file downloads and Action 
6. Email Summary 
* Top 10 Sender, Top 10 Recipients, Top 10 Sender Domain, Top 10 Mail 
blocking Reasons, Malicious Attachment and Action 
7. Threat Intelligence Summary 


e Inbound - Source country, Source IP, Destination IP, Destination Port, Action 


e Outbound - Source IP, Destination IP, Destination Country, Destination Port, 


Action 
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Reports contd... 


SIEM Reports SOC Performance Reports 
a EPS e Number of Alerts 
e New log sources e Number of Incidents by Severity 
e Silent log sources e SLA adherence 
e New Correlation Rules e Number of Escalation 
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Explain the Incident Response Process/Lifecycle 


SANS (SysAdmin, Audit, Network and System) Incident Response Process has 6 stages 
1. Preparation 
. Identification 
. Containment 


2 

3 

4. Eradication 
5. Recovery 

6 


. Lessons Learned 


NIST (National Institute of Standards and Technology) defines the Incident Response in the Special 
Publication 800-61 
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Explain SIEM implementation Phases. 


1. Asset Management (List of all the assets) 

2. Define the Scope for SOC Monitoring and Analysis 
3. Log Source On-boarding preparation 

4. Implement SIEM 

5. On-board Log sources 

6. Use OOB content - DB, Reports, Rules etc. 

7. Announce Go Live 

8. Analysts start getting comfortable with the tools. 


9. Create Custom content as per requirement 
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Explain SOC Implementation Phases. 


1. Define Scope 

2. Implement Technologies 

3. Hire and Build Team 

4. Develop Policies, Processes and Procedures 

5. CMM Level 3 (Initial - Managed -- Defined State) 
6. Develop KPIs - (Quantitatively Managed) 


7. Automate - (Optimized) 
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Explain SOC Workflow. 


et BBB EBEBEREEEEEE, 


Events from 
Log Sources 
and Alerts 
from 
Monitoring 
Tools 


estes seaeseseseaty 


ka 
> 


Valid: Escalates 


Valid: Escalates 


Not Fixed: Re-opens 
Incident and Continues 
Follow-up 
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tannnnnnnnnnnnnnnnnnnnnnnnnnannnnnn” 
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Generatesa W4 the open : tase scalates or urther 
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Remedyforce 
Incident Resolved 
Email Notification 


EPEC OOOOCOOOCOCOCOOCOCOCOCOCCOCCOCOCE. COCCCOCOCOCOCCOCCCCOCOCCOCCCOCCCOCLCO. COC CCCOCCCCCCCCOCOCCCCCCC.. Leet te he 


Fixed: the Issue 
is Resolved 


False Positive 


Close the SIEM Case 
False Positive 


Phase 4: Case Closure 


What metrics do you use in SOC? 


Number of devices being How many devices are being monitoring? - Number of devices . Workload 
monitored Is the number increasing or decreasing? Why? Number of devices / analyst 
Number of events / hour ( / analyst) 
How many events are being handled? Number of events / day ( / analyst) * Cost to value 
Total number of events Is the number increasing or decreasing? Why? Number of events / month ( / analyst) » Key risks 
Are the current staffing levels adequate? Number of events / year ( / analyst) * Workload 
Number of events / event type 
How many events are received for each device or host? Number of events per device or host/day 
Are there certain devices or hosts which are more prone to security issues, causing Number of events per device or host/month i 
Number of events per d risk? Why? Beerot devi h - Detection success 
device or host ncreased risk? w yo ; a Number of events per levice or ost/year . Key risks 
Are there certain devices or hosts which are more prone to false positive events? Number of events / device or host type 
hy? Number of events / operating system type 
Number of events per How many events are received per geographic location, office, etc.? puppet ekai i cere cr i 
> £ F 3 Number of events / office * Key risks 
location Are certain locations more prone to security events? Why? ; 
Number of events / region 


Number of false positives / hour 


sxe gs . > Number of false positives / day 
f f. f ? ? 
Number of false positive How many alse positive events are received? Is this acceptable? N ber of fal iti / tl . Detecti 


alerts Can the number of false positive events be reduced? How? SF 
Number of false positives / year 


Percentage of events that are false positives 
Measured in minutes, hours or days... 
Average time to detection 

Average time to detection / technology 
Average time to detection / event type 


* Detection success 


How long is it taking your organization to detect a security event? Is this acceptable? 
» Process success 


rinsweeisatechan Are there ways this time to detection can be reduced? How? 


Outliers 
How long is it taking our organization to resolve an actual security event? Is this 
acceptable? Measured in minutes, hours or days... Pee ene ee 
i i Are there process or technology improvements that can be made to reduce this time? | Average time to identify y 
Time to resolution : : ; “Process success 
hat are they? Average time to identify / technology 


Are additional staff or training required? How many staff or what additional training is} Average time to identify / event type Outliers 
equired? 


How many events are being escalated and to what level? 
Average number of events / level 


Are events being escalated too quickly or not soon enough? Why? - : 
è i é Average number of events / level / (time · Analyst skills 
Are there improvements to the escalation process that can make event handling A 
period) * Cost to value 


ore piicient pahare thai Escalation level / event type - Process success 
Is the training for each level sufficient to produce the desired skill level? If not, what i yP 
Escalation level / technology 


dditional training is required? Average time (min or hours) to escalate 
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What do you document in Shift Handover? 


Shift Start Time 18 Feb 2020 | 6:00 AM 
Shift End Time 18 Feb 2020 | 15:00 PM 
Any on-going issues? Any alert analysis pending? 


Any teams waiting for update from SOC team? 


Incident Details Incident raised during the shift 
e Incident Number 
e Incident Name & Description 
e Severity 
e Assigned to (Team) 
e Status 


Task Handover Reports to pull 
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Difference between Blueteam vs Redteam. 


Red team is a responsible for offensive security. Typically they do penetration testing, exploiting vulnerabilities, 


social engineering and various recon activities 


Blue team is a responsible for monitoring, detection and responding to a possible threat. 


A team that does both Red team and Blue team activities is called a Purple Team 
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What documents do you create in SOC? 


Log Source On-boarding 

Log Source Decommissioning 

Threat Intel gathering procedure 

Threat Hunting methodologies 

New Use case development procedure 

Staff on-boarding procedure 
Play-book/Run-book (Investigation Procedures) 


Data/Config backup Procedure 
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What is SOP/ RunBooks/ PlayBooks? 


A step-by-step guide to handle an alert in Security Operation Center 
Usually followed by L1 Security Analyst 
This helps in maintaining the quality of analysis and incident documentation 


SOPs also reduce the time to respond 
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Explain CMM level as applied to SOC. 


CMM stands for Capability Maturity Model 


Automate repetitive tasks 
Improve quality and 
performance 


Processes are well defined and followed by 
everyone 
Implement KPIs 
Processes are well defined and followed by 
everyone 
Proactive Approach 
Process is unpredictable 
Fire-fighting mode 
Reactive Approach 
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Processes are defined, but not being followed 
effectively. 
Learning and Correcting 


EXPERTS 


How do you handle a P1 incident in your SOC? 


e In our organization, the SLA for P1 incident is 30 minutes. 

e We have an internal process of involving SOC Lead within first 10 minutes of a P1 alert. 
e Lead will take a call of which other teams assistance could be required. 

e Open a bridge call and all the stake holders will be notified about the incident. 


e | continue to provide the assistance to the lead by pulling reports or checking the status of affected services 


ele; 
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What will you do if there are 200 alerts triggered at once? 


e If there are so many alerts, it is most likely possible that the same alert has triggered several times. 
e So! will isolate the duplicate alerts. 
e Ifthere are different alerts, | will sort them by priority and pick the one with high priority and impact. 


e Ifthe triggered alerts are for a new correlation rule, it is possible that it is configured incorrectly. | will pass 


this information to the SIEM Engineer for fine-tuning. 
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What do you discuss in client calls? 


e We have weekly call with the customer 


e We discuss things like 
e Incident Trends 
e Threat Indicators Summary 
¢ SLA Report and KPIs 
e SIEM Health Report 
o EPS 
o New log sources 


o Silent log sources 


o New Correlation Rules 
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Anand Guru 


Security+ | CySA+ | CEH | ECIH 


Founder 
SOC Experts 


https://socexperts.com 
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Interview Questions on 
Logs (Raw Logs) 


What are the different logging levels in network devices? 


Most network device have the following logging levels 


EXPERTS 


Level 0 —Emergency : System unusable 


Level 1 — Alert : Immediate action needed 
Level 2 — Critical : Critical condition—default level 
Level 3 — Error : Error condition 

Level 4 — Warning : Warning condition 


Level 5 — Notification : Normal but significant condition 
Level 6 — Informational: Informational message only 


Level 7 — Debugging : Appears during debugging only 
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What are the important logs in Windows Server? 


Windows Event Logs are the most important logs in Windows servers. 


There are 3 main categories in Windows Event Logs 
¢ Application 
e System 


e Security 
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Default location of logs for few log sources. 


Windows Event Logs : C\WINDOWS\system32\config\ 
Windows DHCP : C:\Windows\System32\DHCP 
Windows DNS : (Trick Question) By default DNS logging is not enabled. When we enable we get an 


option to choose the log file path 
Linux System : /var/log/messages 


Exchange Mail Server : %ExchangelnstallPath%\TransportRoles\Logs\MessageTracking NOTE: Important 
logs in Exchange are Message Tracking logs 
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Can you recall few Event IDs of Windows Event Logs? 


1. 4624 — Successful User Account Login 
2. 4625 — Failed User Account Login 

3. 4720 — A user account is created 

4. 4726 — A user account was deleted 

5. 4740 — A user account was locked out 
6. 4767 — A user account was unlocked 


7. 1102 — The audit log was cleared 
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What are Windows Logon Types? 


The logon type field indicates the kind of logon that occurred. 
Logon Type 2 - Interactive 
Logon Type 3 - Network 
Logon Type 4 - Batch 
Logon Type 5 - Service 
Logon Type 7 - Unlock 
Logon Type 8 - NetworkCleartext 
Logon Type 9 - NewCredentials 
Logon Type 10 - Remotelnteractive 


Logon Type 11 - Cachedinteractive 


Logon type 2, 3 & 10 are the most common type of logons 
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What are the reasons for Login failures in Windows? 


0xC000 


0xC000 Gea User name is correct but the password is wrong 
oxco00d234 User is currently locked out 
0xC000C072 Account is currently disabled 


User name does not exist 


DCO Workstation restriction, or Authentication Policy Silo violation 
15B 


The user has not been granted the requested logon type (aka logon right) at this machine 


0xC000 
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What are the important fields in antivirus logs? 


Date & Time - 18 Feb 2020 10:10:48 

Host - LLOHNO708 

IP Address - 10.10.2.78 

User - ABCInsurance\john 

File Name - goodmovie.exe 

File Path - D:\Movies\New Folder\goodmovie.exe 

Malware Name - Every vendor has their naming conventions 

Malware Category - Trojan, Worm, Ransomware etc. 

Action Taken by AV - Clean, Delete, Quarantine, Failed to Clean, Failed to delete, Failed to Quarantine 
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What are the important fields in firewall logs? 


Date & Time 


Source IP 


NAT Source IP 


Source Port 


Bytes Sent 
Bytes Received 
Source Country 


Destination Country 


Source Interface/Zone 


Destination IP 


NAT Destination IP 


Destination Port 


Destination Interface/Zone 


Rule Name 


Action 


EXPERTS 
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What are the important fields in IPS logs? 


Date & Time 

Source IP 

Source Port 
Destination IP 
Destination Port 
Attack Name 

Attack Severity 
Source Country 
Destination Country 


Action 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna BY 


anand guru 


EXPERTS 


What are the important fields in proxy logs? 


Date & Time 
Source IP 

User 

URL 

Domain 

Website Category 
Action 

Bytes Sent 


Bytes Received 
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What are the important fields in WAF logs? 


Date & Time 

Client IP 

Request Headers 
Response Headers 
URL 

Referrer 

Method 

HTTP Status Code 
Attack Type 


Attack Severity 
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What logs do you pull from AWS? 


AWS CloudtTrail Logs 


AWS CloudWatch Logs 


How do you pull logs from AWS? 


Using AWS API. 


We would need the Access key and Secret access key of a user account. This user should have permission to 


read logs form S3 buckets. 
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What logs do you collect from a database? 


Audit Logs 


Why do we need raw logs? 


e The raw logs are required for Forensics and Compliance purposes. 


Difference between Flows and Events. 


Event is a log of a particular action. 


A flow records information like number of packets, bytes sent, bytes received and connection time. 


Difference between an Event, Alert and Incident 


Event is a log of particular action on a server. 
e Alert is a suspicious (not confirmed) activity in the network. 


e An incident is a confirmed malicious activity. 


BY 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna 


EXPERTS 


BY 


anand guru 


Anand Guru 


Security+ | CySA+ | CEH | ECIH 


Founder 
SOC Experts 


https://socexperts.com 


EXPERTS 


Interview Questions on 
SIEM 


What is SIEM? 


SIEM stands for Security Information and Event Management. 


It is security management solution that helps in collecting, parsing and correlating events from various log 


sources 
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Why do we need SIEM? 


When we have security solutions like AV, Firewall, IPS why do we need SIEM? 


e Various security solution that we use to protect our network and data work in isolation. 


e However, in order to detect todays sophisticated attacks, it would be helpful if we could correlate 


information from various devices. This correlation is provided by SIEM. 
« AV, F/W, IPS are all preventive technologies where as SIEM is mostly used for detection and analysis. 


e We need SIEM for regulatory compliances too. 
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What are the popular SIEM vendors? 


e According to Gartner's Magic Quadrant the leaders in SIEM market are 
v Splunk Enterprise Security 
IBM QRadar 
Exabeam 


y 

y 

v Securonix 
v LogRhythm 
y 


RSA Security Analytics 


e Other popular SIEM include 


v Microfocus Arcsight 


ABILITY TO EXECUTE 


COMPLETENESS OF VISION > As of February 2020 
Source: Gartner (February 2020) 
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What is Parsing? 


e Parsing is process of converting unstructured data into structured format. 


e It is during parsing where SIEM extracts all the useful metadata like Source IP, Destination IP, Username, File 


Name, File Hash etc. from the logs. 


Raw Log Jan 1 20:28:02 knight sshd[20336]: Failed password for root from 218.49.183.17 port 49869 ssh2 


y Parsing 


Metadata 

Event = Failed Password 
Username = root 

Source IP = 218.49.183.17 
Source Port = 49869 


Protocol = ssh 


Parsed Event 
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What is Normalization? 


e Normalization is a process of bringing all events in to one common structure to deliver a homogeneous view 
e It could be time normalization (bring events from various devices from different geo-location to a common time-zone) 


e Identifying common event attributes (Like categorization - stamping all login, logout events as Authentication) 


Please Note: For some SIEM tools Normalization = Parsing 
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What is Aggregation? 


What is the use of aggregation? 


e Itis the process of merging similar logs that occur over a period of time. 


e For example if there are 20 failed login events by a user on a Server, the server would generate 20 logs. But, 


instead of storing all the 20 logs, SIEM will only store 1 record. 


e Aggregation greatly helps in conserving the disk space and also increases the performance. 


Raw Logs Stored Record 


Jan 1 20:28:25 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:28:37 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:28:41 Failed password for root from 218.49.183.17 port 49869 ssh2 Aggregation 
Jan 1 20:28:49 Failed password for root from 218.49.183.17 port 49869 ssh2 => Jan 1 20:28:02 Failed password for root from 218.49.183.17 port 49869 ssh2 
Jan 1 20:28:57 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:29:02 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:29:13 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:29:20 Failed password for root from 218.49.183.17 port 49869 ssh2 

Jan 1 20:29:35 Failed password for root from 218.49.183.17 port 49869 ssh2 


Event Count =9 
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What is Correlation? 


e Correlation can be defined as set of conditions that indicates a suspicious activities. 
Examples: 
e User activity during non-business hours 
e VPN logins from multiple locations 


e Multiple malwares on the same host 
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What are the different collections methods available in SIEM solution? 


How do you on-board Windows Event Logs? 


What are the log sources you have on-boarded? 


Collection Method — Usedfo o Example Log Sources 


WMI (Windows Management Instrumentation) Windows Event Logs Application, System and Security Logs 

Syslog Network Devices and Security Solutions Routers, Switches, Firewall, Proxy, WAF etc. 

Flat File Applications/Servers that write logs on to a 

CIFS (Windows) flat file DNS, DHCP 

NFS (Linux) Apache Logs, Linux 

Agent Various logs source including Windows Event Application, System and Security Logs, DNS, DHCP 
WinCollect - IBM QRadar Logs, Flat file logs etc. etc. 


SIEM Collector Agent - McAfee ESM 


Universal Forwards - Splunk 


API Cloud logs, Threat Feeds AWS Cloudtrail logs 
DB Collectors (JDBC/ODBC) Databased Logs MySQL Audit Logs, McAfee ePO, Oracle DB Audit 
Logs etc. 
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What are pull and push collection methods? 


e A pull method of collecting logs means, the SIEM is actively involved in collecting the logs, usually by logging 


in to the log source. This is done at regular frequency. 


Example: WMI, Flat File, DB Collectors, API 


e In push method, the logs are pushed by the log sources and SIEM just listens on the assigned port and IP. 


Example: Syslog, Agent 


Pull and Push are sometimes referred to as Active and Passive Collection respectively 
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Syslog Collection Method. 


1. Default port for Syslog? 
* Syslog - 514 
TLS Syslog - 6514 
2. Is Syslog TCP or UDP? 


It has both TCP and UDP version 
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While purchasing a SIEM, how do you size it? 


How will you decide the capacity of SIEM you need? 


e SIEM sizing is done in 2 ways - Events Per Second (EPS) and Data Indexed per day 


e There are few methods to do this: 


1. We can set up a POC (proof of Concept) and onboard few log sources of each type and measure the EPS. Later we can multiply by 
appropriate number of devices. 
Example: If we had 200 Windows log source and one windows log source during POC generated 10 EPS, we will need 200 x 10 = 2000 EPS 


2. Easier method would be to use the vendor provided spreadsheet calculator and feed in all the data like, no. of windows log source, 
number of DNS, no. of R&S, no. of firewalls etc. This will give an approximate EPS. To be on safer side we should keep a extra buffer 
of 20-30% 


e In order to calculate the amount of data indexed most SIEM vendors typically take 1 event is roughly equal 
to 400 bytes for many log source and 1kb for Windows Event Logs 
If we have 300 log sources that generate 10 EPS each, then EPS = 3000 and the amount of data indexed will 
roughly be 3000 x 400 (bytes) = 1,200,000 bytes/second 


1,200,000 x 60 x 60 x 24 = 103,680,000,000 ~= 103 GB per day 
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How long should we retain logs in SIEM? 


The retention is usually defined by the regulatory compliance. Like, PCI defines that (raw) logs must be 
stored for one year with the last three months available in an easily accessible storage. 


e Parsed events should be retained for 90 days. 


Parsed events are typically used for analysis and reporting. It is very rare that we do analysis of events older than 90 
days. 


e Raw logs can be stored for an year. 
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How Frequently should you take SIEM backup? 


e It is recommended to schedule the SIEM backup for every 7 days. 


e But we should take manual backup every time we are making major changes or upgrades 
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How do you troubleshoot if any log source is not sending the logs? 


The non reporting logs sources are called as Silent Log Sources 


To troubleshoot a silent log source, we need to identify where the issue exists in the log flow. A typical log flow 


includes 
SIEM 


B- a. hod COLLECTION Ea PARSING — STORAGE 
LOG 


It could be at Log Source side - misconfiguration (wrong IP or port, necessary services not running, incorrect 


logging level etc.) 

The issue could be at network level - We can identify this by running packet capture on the collector (TCPDUMP for 
Linux based collectors and Wireshark for windows based) tcpdump —vvnni ethO host <ip_logsource> 

The issue could be with collecting and parsing. We need to check appropriate services are running and check the 
logs files for any errors in SIEM 

Finally it could be a SIEM DB issue. which means the logs are being collected, parsed and stored, but UI is unable to 
query the DB. Usually a reboot would fix such issue. 

If none of this helps, | would bring in the vendor TAC 
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What is List/Watchlist/Reference Sets? 


List is a collection of similar type of elements (like a list of IP addresses, list of all admin users). The lists can be used in filters 
and correlation rules. 

Example: 

1. List of all admin users 

2. List of all Public IPs of a company 


3. List of all Service Accounts 


Lists are heavily used to integrate Threat Intelligence with SIEM 
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Interview Questions on 
Correlation Rules (Use Cases) 


What is Correlation? 


Correlation is the process of identifying a suspicious activity by defining set of conditions. 


Example: A user account created during non-business hours 
Here there is a correlation between two (2) conditions. 
e Aevent - User account created 


e Time Condition - During non-business hours (Between 7pm and 7am) 
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How do you categorize correlation rules? 


Different organization categorize correlation rules in different ways. Few of them are 


Based on Device - Firewall based rules, AV based rules, Proxy based rules etc. 
Based on Category - Malware, Access, Network, Database etc. 


According to the phases of Cyber Kill Chain - Rule to detect Reconnaissance Phase or Exploit Phase etc. 
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What is a cross-platform correlation rule? 


A correlation rule that involves at least two (2) different log source is called a cross-platform correlation rule. 


Example 1: High severity IPS alert for a Vulnerable host 


Here we are correlating an event from IPS plus we are using the data from the Vulnerability Assessment log 


source 
Example 2: Multiple RDPs after VPN access 


Here we are correlating events from Firewall (for VPN access) and any server based on an authentication event. 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna BY 


EXPERTS iii 


Malware Use cases. 


If there is a malware detection on a server, it is Create a List in SIEM of all \Category=Malware 
1 Malware detection on a Server pE en worth taking a look at irrespective of the AV HE Ene Host (belongs to) Server List 


EXPERTS 


"OR Category = Malware 
Unhandled Malware his is when the AV detects the malware but is None Action = Delete failed OR Quarantine failed 

unable to clean, delete or quarantine À 
or Clean Failed 
Category= Malware 

ame Malware on Multiple Host Indicates several users are targeted via an email or a None No. of Unique host =5 

commonly used website ime Windows = 1 hour 

Malware Name is constant ( 
one 


Indicates either the user is trying to download or Category = Malware 
Multiple Malware Infection on a |copy a malicious file over and over again. OR a "E of Event = 5 
malware is partially executed and trying to perform a ime Window = 1 hours 
ivity that is being detected as malicious by AV Host should be constant ( 


Create a List in SIEM of all 
A compromised host is initiating communication to {Blacklisted IPs. This is done 
its Command & Control hrough Threat intelligence 


Outbound Communication to 
Blacklisted IP OR Possible 
Botnet Activity Detected 


Log Source = Firewall 

Direction = Local2Remote 

Destination IP (belong to) Blacklisted IP List 

Indicates the presence of Domain Generating g oure ie 

z s DNS Response =NXDOMAIN 
oo Many DNS Lookup Failures Algorithm. DGAs are used by malware authors to a 
: No. of Event = 1000 
avoid detections from Threat Intelligence. a et 

Client is constant 


Install an agent on the sca il c Caor Grad ` 
High Resource (CPU or Memory) |High resource consumption is an indication of servers that will provide oo iia i i al 


Utilization malware activity he resource utilization OR Avg. CPU Utilization for 10 minutes > 90% 


Install Sysmon to collect 

process related 

information. Make a list of 
Il authorized processes 


Event = New Process Started 
Process Name (Doesn't belong to) Authorized 
Processes List 


Unauthorized Process Detected |A new (unknown) process is running in a server 
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Use Cases on Firewall. 


Event Type = Connection Denied 


If an attacker is trying to connect over and over again Reset events = 300 


and is being blocked. OR a malware is trying to i z , 
F É : ime Window = 5 minutes 
connect to C&C and it is being denied 
ith Source IP constant 


siilesine from Multinlé Event Type = VPN Authentication 
2 gi P A user cannot connect to VPN from 2 geo-location None Unique Geolocations = 2 
geolocations 
ith Username held constant 


Log Source = Firewall 
hen a attacker tries to scan the available IPs as part Unique Destination IPs = 10 
of information gathering ime Window = 1 minute 
ith same Source IP 
Log Source = Firewall 
hen a attacker tries to scan the available ports ona Unique Destination Ports = 100 
Server as part of information gathering ime Window = 1 minute 
ith same Source IP and Destination IP 
Log Source = Firewall 


erase iard RenierA —O Port = List of Remote Access 


Access ports like 3389, 22, a of Event = 20 


1, 1833, S206 Clk. ime Window = 30 minute 
ith same Destination IP 


: ? Countries the company doesn't do business with or if}, . : Log Source = Firewall 
High Volume of connection from à : List of all countries of a r 
he relationship of the country is not good with Source Country = List of Countries of 
ountry of concern concern 
home count concern 
Outbound SMTP traffic from An infected machine might start sending spam email |, . : Ee n A T 
Unauthorized Host rom inside the company List of all email servers ource IP != List of Email Server 
i Destination Port = 25 
If any client or server tries to connect to internet 
directly (Usually done by users trying to do things 
Proxy Bypass Atten hat are not allowed. OR it could be a malware trying tipne 
o connect to C&C 
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oo many firewall Denies for 
same Source 


Horizontal Scan detected 


ertical Scan detected 


canning on Remote Access hen an attacker tries to connect to company server 
Ports on remote access ports 


Use Cases on AD and Windows Logs. 


Local account created User account created on server (not AD) 


User added/removed to admin |Helps in monitoring accidental or attacker privilege 


oo many account lockouts Bruteforce is happening on several accounts 


ervice accounts are very sensitive as they have 


ervice Account Passwordmmma higher privileges and do not get locked out 


Groups are not created very often, so it is good to 


tls monitor group creations and deletions in AD 


Domain Account Creation 


During Non-Business Hours Suspicious activity, Account created by Attacker 


oo many password resets Suspicious activity 


Create a list of High 
Privileged Groups 


Event ID = 4720 
Log Source != AD 


Event ID = 
Group = List of High Privileged Groups 


Event ID = 4740 
No. of Events >10 
ime Window = 1 hour 


Event ID = 4724 
User in List fo Service Accounts 


Event ID = 4731, 4727 for created 
Event ID = 4734, 4730 for deleted 


Event ID = 4720 
ime (Not in) Monday - Friday 7am to 7pm 


Event ID = 4724 
No. of Event > 10 
ime window = 1 hour 


zz Audit Logs Cleared Attacker or a Admin is clearing the tracks None vent ID = 1102 
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Correlation Rules based on Cyber Kill Chain 


* Horizontal Scan detected 


i * Vertical Scan detected 
Reconnaissance 


e Directory Traversal (alerted by WAF) 


* High Volume of connection from country of concern 


+ This phase cannot be detected as it is done by the attacker at his side. 


* Too many email from same domain 

* Too many email with same Subject line 
e Email with multiple attachments 
e Visit to malicious website 


* Too many file modifications 
Exploit 
* Registry changes detected 
e High Resource Utilization 
Install 
* New Process detected 
e Communication to Bad reputation IP 
Command & Control 
* Too many DNS Lookup failures 
* File modification 


Actions on Objective * High volume of data outbound 


* Critical Server Shutdown 
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How do you detect malware in the network without AV? 


Behavior based malware detection. 
e Outbound Communication to Blacklisted IP OR Possible Botnet Activity Detected 
* Too Many DNS Lookup Failures (Indicates possible DGA running in the network) 
e High Resource (CPU or Memory) Utilization 


e Unauthorized Process Detected 
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How do you detect SQL Injection in SIEM? 


We can write correlation to trigger on. 
e SQLi related alert from IPS or WAF 
e Unusual Username (User name with special characters used) 
e Too many errors on Database 
e Too many SELECT statements 


* DROP command executed 


These rules are typically run on Database Audit Logs 
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How do you detect Ransomware using SIEM? 


We can write correlation to trigger on. 
e Behavioral analysis for detecting user privilege escalation 
e High Volume of administrator's logins. 
e Monitoring of traffic parameters deviation from their baseline characteristics. 


e Communication with malicious IP addresses, URLs, domains, and suspicious geographic destinations, as well as a traffic volume surge 


may indicate ransomware presence in a network. 


e File Modifications (if we have File Integrity Monitoring events) 
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Correlation Rule to detect Phishing Email. 


We can write correlation to trigger on. 
* Too many email from same domain 
e Too many email with same Subject line 
e Email from Blacklisted IP 
e Email with multiple attachments 
e Email blocked due to phishing link (Email gateway events) 


* Communication to Bad URL 
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Interview Questions on 
Threat Intelligence 


What is Threat Intelligence? 


Threat intelligence is knowledge that allows organization to prevent or mitigate cyberattacks esp. zero-day 
malwares or exploits. 


It is a subscription based services offered by many vendors. 


e Technically TI is a database of Indicators of Compromise. 
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Name few open source Threat Intelligence feeds. 


e Abuse.ch 

e OSINT 

e threatfeeds.io 
e autoshun.org 


e malwaredomainlist.com 
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Name few commercial Threat Intelligence feeds. 


e IBM X-Force Exchange 

e Anomali ThreatStream 

e Palo Alto Networks AutoFocus 

e FireEye iSIGHT Threat Intelligence 


e Recorded Future 
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What is an IOC? 


e IOC Stands for Indicators of Compromise. Its an attribute (forensic data) associated with an attack. 
e IOC focuses on what of an attack. 


e Attributes associated with an attack might include - IP address, URL, email, file hash etc. 
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What is IOA? 


e IOA stands for Indicators of Attack. 
e [OAs focus more on the WHY and intent of an actor. 


e IOA is some events that could reveal an active attack before indicators of compromise become visible. Like, 


unknown process running 


e Unlike Indicators of Compromise (IOCs) used by legacy endpoint detection solutions, indicators of attack 


(IOA) focus on detecting the intent of what an attacker is trying to accomplish. 
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What Are the Common Indicators of Compromise obtained from Threat Intelligence? 


e IP addresses, URLs and Domain names: An example would be malware targeting an internal host that is 


communicating with a known threat actor. 


e Email addresses, email subject, links and attachments: An example would be a phishing attempt that 


relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command. 


e Registry keys, filenames and file hashes and DLLs: An example would be an attack from an external host 


that has already been flagged for nefarious behavior or that is already infected. 
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What security solutions use Threat Intelligence? 


e In todays world almost every prevention and detection system use TI feeds. 
e AV solutions can use to check the malicious hashes 


e Firewall can use TI to check blacklisted IP etc. 
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How does Threat Intelligence work? 


Threat Intelligence Works in 2 ways 
e Few TI feeds let you download the IOC database on-prem (like integrating into SIEM lists) 


e Few other TI, works as a subscription based, every time you need to check the reputation of a file, URL or IP 
address, the security solution makes a quick light-weight query to the TI server, get the responses and take 


appropriate actions. 
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Where do you install Threat Intelligence in the network? 


This is a trick question. 


e Tlis not installed on-prem, it is a subscription based services offered by many vendors. 
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Why Is Threat Intelligence Important? 


e Tl helps to keep companies informed of the advanced threats, exploits and zero-day threats that they are 


most vulnerable to and how to take action against them. 
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What is US-CERT? 


e Itis a website maintained by US Department of Homeland Security. It is a good source of TI. 


e US-Cert release information about new threats in the form of Technical Alerts 
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Example of how you have consumed TI? 


e Integrating TI feeds with SIEM 
e Using IPVoid , URLVoid or VirusTotal during analysis of any alert 


e Ad-hoc reports for latest attacks (using their IOCs) 
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How TI can be integrated with SIEM? 


e Tl can be integrated using Lists. These lists should be updated regularly to get the latest IOCs 
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What are TAXII and STIX? 


e Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange 


cyber threat intelligence (CTI). 


e Structured Threat Information eXpression (STIX) is a structured language for cyber threat intelligence 


e Trusted Automated eXchange of Indicator Information (TAXII™) is a free and open transport mechanism that 


standardizes the automated exchange of cyber threat information. 
e Atransport mechanism for sharing cyber threat intelligence 


e Example: http://hailataxii.com/ 


STIX states the what of threat intelligence, while TAXII defines how that information is relayed. STIX and 


TAXII are machine-readable and therefore easily automated. 
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Which is you favorite TI? 


e IBM X-Force e Threat Crowd 


« pannes Sieeacherere e Gives a graphical representation of association of various attributes like 


domain name, IPs and file hashes 


e Gives a timeline of how the IP was behaving over a period of time 


<= Cc @ threatcrowd.org/ip.php?ip=209.99.40.226 


IBM X-Force Exchange | ALL Y Search by Application r addres: Vulne ty, M aa HELP RSS API FEED MALTEGO CONTACT 


P+ 
4 Suggest Edit 
Risk X-Force IP Report | export os sxe | | Fotow | wga 


5.101.0.209 vargas 


© This report does not contain tags. Ad e comment box @ 176.9,240.71 
MEDIACONTENT4YOU.COM 
Of @ P 
bee” i com me ~~ sa 
Details WHOIS Record 198.22 26,231 
Categorization» Scanning IPs(100%) Created Jan 26, 2016 74.125.21.100 
; e PRESTIGEAVA.COWf, 
Application No known application Updated Now 7, 2018 7OFSCBCO4B038C-4F 496ES206BB9F2 
Location Russia Ponen Na aere pana 74.125.21.101 r Mi F4D3874E5DA92F8 YOURVIDEOPORTAL.COM 
Registrant Organization PIN-DATACENTER-NET e mamane lay A e 
Registrant Country or Region Russia ABBI! D6 
Registrar Name RIPE 
Email abuse@pinspd.ru SPARC i con 67.227.195.200 
166.78.62.91 o 
ht y aa 141.8.225.80 
e ONLINEINST TORE EOM YTS SOUS com e 
Vi i ainan e 
12 = Scanning IPs 
Timeline 115AD464CAE83429AC2AB680602880C8 74.125.21.113 
View all O ITOXTSUFAIXMIN.COM 
hide chart è e BPOUNGRE.COM 
MWAGIRLF. e 
SNKBCPTIQGOMLVW.COM °. 
O 173.194.121.394 JYOKJOGWR.COM 
e 200.99.40.226 
RXKHOPIGBQOECO.COM 173.194.121.37 74.125.21.102 74.124.21.128 368047£650302BC17F927EBFA37868D2 
e. ə A ° 
DNMJAHDAIGEYDIIORKY.COM 
e 173.194.121.486 
d 192,168.13 
8 
203,105 
Category Reason Location Date 173.194.121.41  173.194.121:32 74.12521 idinku diosa “Gadi thikanasid, ) 
e e e 4198F9F 18087EC33307AE61F 42788584 
A Scanning IPs (100%) Firewall deny log analysis Russia Dec 26, 2019 6:12 AM 237EAFE928 1 7E7944E07668E20FF42F8 GOOGLE.COM e 
RJORDULLTL.COM ait ti COM 
A Scanning IPs (57%) Firewall deny tog analysis Russia Dec 25, 2019 5:13 PM e CASCOTOHILCOM Satine cat i 
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esa a NSIC YURI COM t 
Regional internet Registry Russia Oct 17, 2018 12:23 PM 17a a” ad 173. oun 28 


Regional Internet Registry Russia Oct 16, 2018 12:23 PM Maleate” ie COM 


EEUPRBPOHSPWJE. COM 
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Interview Questions on 
Analysis & Incident Response 


Malware 
Alert 


Hostname > FilePath > — File Hash 


User > Malware Name > — AV Action 
File Name > Malware Category 


Gather 
Information 


Deleted Not Deleted/Not Quarantined 


} 


Identify the Source of the malware s ae 
Check for emails received by the user 2-4 hours before the Raise and incident to manually remove the malware 


malware detection . Continue Analysis and keep adding notes to the incident 
Check for all the website the user has visited in last 1 hour . Check if AV has up-to-date signatures 
Check the possibility of malware detection on USB (by Drive . Check for any file modification, registry modifications, user 


letter in file path) a account creations, privilege escalation and audit logs of 
Research on the malware (to see if it is targeted) the affected host 


3. Check if the file hash appears else where in the network 


Email - Take permission and delete all the email from the 
sender/subject line or mails having the attachment 

Web - Block the URL on Proxy and IP address on the firewall 
USB - Educate the user about the malware, issue warning 


Manually remove the malware and rescan the host 
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How do you remove a malware manually? 


Step 1: Download Process Explorer and enable VirusTotal integration 

Step 2: Run Process Explorer and look for the malicious process 

Step 3: Identify the path of the process 

We cannot delete the file from the path as it is currently running. If we try killing the process it comes up again immediately. 
Step 4: Boot the machine in safe mode 

In safe mode only minimum required windows process will run, there by preventing the malware from running. 

Step 5: Delete the malicious file from the identified path 


Step 6: Boot in standard mode and run a full scan 
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How do you work on a Phishing Alert? 


Phishing Mail 
Reported 


Open the Mail 
in .MSG format 


. Submit the URL to =~ and check the reputation. 
. Check the domain in WHOIS lookup to identify the IP address of 
. Paste the Internet Header to =) (Analyze 
Headers) 
e Check for DMARC compliance 
e Check for SPF Alignment and Authentication 
e Check the DKIM Alignment and Authentication 
. Check the Return-Path 
. Check the reputation of IP address and domain names that 
appear in the header information 


Block the domain at the Email Gateway 
Block associated IPs at Firewall 
If there are other copies of email in other users mailbox, 


take permission to delete them 
Educate the user of the techniques used in the phishing 
email 
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Brute-force 
Alert 


| het Destination IP(s) > Login Failure 
nformation User Name(s) Reason 


Ea > — Source IP(s) > Logon Type 


Has 
Higher 
Privileges 


Check if the Source IP is Local or Remote? 


What is the destination IP? 

How any source IP s are involved? Temporarily disable the user account 

What is the frequency of the attempts? Ask user to change the password 

Failure Reason (User Account disabled OR password If external IP is involved, block it on Firewall 
incorrect or Account Locked etc.) 


EXPERTS 


DOS 
Alert 
Gather 1. Source IP (s) 
Information 2. Targeted IP 


Affected 
Services is 
Critical or 

Public Facing? 


Access the service as a user to see if it is still up and running 
Run ‘netstat -an’ to check if there are several WAIT connections 
Run continuous pings to see if there are any packet drops 

Check the bandwidth consumption on network monitoring tools 
(PRTG, Nagios) 

If the intensity is too high open the Bridge call 


Open a bridge call with the network team, ISP, 
application team, SOC lead/manager and Server team 
Temporarily add more servers to load balance 

Reduce the connection-wait-time 

Limit the No. of connection from an IP address 

Block the top 5 or 10 IPs that are aggressively involved 
in the attack 

Prepare to bring up the DR servers 
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Logic of the correlation rule will be based on some 10C of a Ransomware, so it is important to verify if the 10Cs are 
Alert reliable 


Verify the credibility of the 10C. Use IBM Xforce or 

to check the reputation and confidence level. 
Gather information like IP address, track the host name (by DHCP 
logs). 
Call the user and inform about the situation 
Take remote and ensure the AV is running and has latest 
signatures. 


Also, look for any indication of a ransomware attack (file 
extension, inaccessible files etc.) 

If the alert is genuine, ask the user to disconnect from the 
network open a ticket and assign it to endpoint security team 
Continue analysis to understand the source of the malware. 

Look for any other infected machine with the help of IOC or source 
of malware. 


Gather 1. Source IP (s) 
information 2.  10Cs (URL or Hash or IP address 


Identify the type of ransomware and the stage of 
encryption. 

If it is in the early stage of encryption, try to identify 
the process and kill it. 

DO NOT reboot the machine as it might render the 


machine useless 


If file are already encrypted try to look for decryption 
keys from reliable source (AV vendors) 

If it is a user machine, format it. 

If it is a server, format it and restore form the backup 


anand guru 


Explain the analysis for a SQL Injection Attack 


SQL ae Attack Usually IPS and WAF can report SQL Injection attempts 
er 
. Source IP (s) 
Gather . Log Source (IPS/WAF) 
Information . Severity 


Check the reputation of the IP address 

Check if this IP address was involved in any recon activity on our servers 
Look for suspicious events on the database (like configuration changes, 
strange queries, DROP statements etc.) 


Check to see if there is any anomaly in SELECT statements. 


e Raise a ticket to block the IP on the firewall. 
e Raise a ticket to expedite the Patching process on the 
target server. 
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Possible Botnet Activity 
Alert 
; Source IP 
et . Destination IP 
nformation . Destination Port 


Check the reputation of the public IP. Check its history and what kind of 
malicious activity (scanning, C&C, spam etc.) it is involved in. 

Check the destination port. If it is other than 80 and 443 and is allowed 
by Firewall > Raise a ticket and assign it to firewall team to block the 


traffic. 

Check if the source host has latest AV signatures. 

Identify the process involved in generating the traffic on the machine 
(use the tool TCPLogView) 

Check if the IP address is associated with any domain name or malware 
distribution ( or ) 

Get the associated file hashes and check if they ever appeared in your 
network. 

Take the associated URL/Domain name and see if they were visited by 
any users. 


4. Log Source 
5. Device (Firewall/IPS/Proxy) Action 


If the traffic is allowed, block the IP at Firewall level 

If it is done by a malware (botnet) remove it manually 
and run a full scan on the machine. 

Ensure all the configurations on the affected system are 
intact 

Ensure the associated URLs are blocked 

Feed the associated file hashes to SIEM to detect and 
other attacks 
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IPS alert on a Vulnerable 
Host Alert 
Gather 1. Source IP 3. Destination Port 
Information 2. Destination IP 4. IPS Alert Name/Severity 


Check the reputation of the source IP. 

Check the IPS Alert and understand what it means and the severity of the 
alert. 

See if there is an associated vulnerability (exploit signature of IPS) to the 


alert. 

Research on the vulnerability using the CVE number. Look for affected OS, 
application and their versions. 

Check if the target server is using the vulnerable version. 


e Raise a ticket to block the IP on the firewall. 
e Raise a ticket to expedite the Patching process on the 
target server. 
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Steps you take to analyze ‘Unknown Process Detected’ alert. 


Unknown Process Detected 
Alert 
her 1. Source IP 4. Process Hash 
les z 2. Host 5. Process path 
ntormation 3% Process Name 


Verify if it is a known malicious process by submitting the Hash to 


If it is not a malicious process check with the user if he has installed any 
new software/application and ask for business justification 

If the user is not aware of the running process, the new process has be 
analyzed (malware analysis) to check if it is malicious 


e Raise a ticket to block the IP on the firewall. 
e Raise a ticket to expedite the Patching process on the 
target server. 
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Interview Questions on 
Vulnerability Management 


What is Vulnerability? 


e Avulnerability is a weakness in a system, network or application. 


System - Running with older version of a software 
Network - Use of unsecure protocols 
Application - No user input validation (leads to injection attacks) 


What is Threat? 


e Anything/Anyone that can exploit a vulnerability, intentionally or accidentally is a Threat 


Example: An attacker or Earthquake or Untrained Staff 


What is Risk? 


e The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. 


Example: Financial losses because a e-commerce server is down, Loss of reputation etc. 


What is Exploit? 


e Atool used to take advantage of the vulnerability. 


Example: Eternal Blue (take advantage of SMB vulnerability) 
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What is Vulnerability Assessment? 


e Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in 


computer systems, applications and network infrastructures. 


e Vulnerability Assessment team closely works with other infrastructure teams to help them remediate/patch 


vulnerabilities with the systems they manage. 
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Explain Vulnerability Management life cycle. 


e Discover - Discover all the assets (using an host discovery scan) 

e Prioritize Assets - Prioritize the assets based on the criticality and risk. 
J eee e Assess - Perform Vulnerability Assessment to identify vulnerabilities 

e Report - Report all the vulnerabilities, based on criticality and 


business risk 


© e Remediate - Remediate the vulnerabilities by applying the patches 
or modifying the configurations 


e Verify - Confirm that the patch has be applied successfully by 


rescanning the machines 
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What is the difference between VA and Penetration Testing? 


e Vulnerability Assessment is all about identifying the vulnerabilities and reporting them for patching and 
remediation. 


e Penetration Testing is going one step ahead (after identifying the vulnerabilities) and exploiting the 
vulnerability. 


e Penetration Testing will help companies assess the risk in a better way. 
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Name few VA tools? 


e The popular Vulnerability Assessment tools are 
v Tenable Nessus 
v Qualys Guard 
v Rapid7 Nexpose 


v OpenVAS (Open Vulnerability Scanner) - Open source tool 
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What is a Scan Template? 


e A scan template is a pre-configured setting for a specific type of scan a user wants to perform. 


Example: can Ter 
a Aduana tcan n NESSUS Scan Templates 
e Host Discovery Scan & 
e PCI Compliance Scan com 
* Specific Vulnerability Scan (Scan for WannaCry Ransomware) 
N it $ 9 D 
© A f- = Q 
ü + fè b 
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Intel AMT Security Bypass 


Shadow Brokers Scan 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna 


anand guru 


How do VA Scanner identify Vulnerabilities? 


e Most VA scanners use some kind of Scripting languages to scan the machines and the results are compared 


with the database of know vulnerabilities. 


e Avulnerability scanner can also detect weak configurations and passwords, no password, default 


passwords. 


e Some of the scripts looks for Registry values to identify the version and patch level of an application. 
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Where do you find Vulnerability details? 


e Few good source of all the vulnerabilities are 
e www.cvedetails.com 


e www.nvd.nist.gov (National Vulnerability Database) 
e www.cve-mitre.org 
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What is CVE? 


e CVE stands for Common Vulnerabilities and Exploits. It is a number given to each identified vulnerability. 


e CVE isa list of entries—each containing an identification number, a description, and at least one public 


reference—for publicly known cybersecurity vulnerabilities. 


e The format of the CVE is: 
CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN) 


Example: CVE-2019-1760 
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What is CVSS? 


e CVSS stands for Common Vulnerability Scoring System. It is an industry standard used by vendors to define 


the criticality of a vulnerability. The score ranges from 0 to 10. 


e CVSS are categorized as below: 


B : E N P 


Categories of CVSS v3.0 
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How frequently should a Vulnerability scans be run? 


When does a company run Vulnerability Scans? 


e Vulnerability assessments are usually performed on a scheduled basis, typically Monthly once or Quarterly 
once. 

e Also scan can be run on need basis. A solid example is when a new headline vulnerability emerges. When 
this vulnerability assessment is performed, the scan are configured to specifically look for the new 


vulnerability. 
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What is Patch Management? 


e Patch management is the process of applying (installing) patches to a system or application in order to get 


new features, fix bugs or security issues. 


Difference between Hotfix, Patch and Service Packs. 


e Hotfix addresses only one bug(issue). Typically does not require a reboot. 


v8.5.0 to 8.5.0 Build 20200101 
e Patch is a collection of hotfixes and new features. Usually requires a reboot of the system to be effectively 
applied. 
v8.5.0 to 8.5.1 


e Service Pack is collection of patches. 
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What is Change Management? 


e Change management is the process, tools and techniques to manage the people side of change to achieve the required 


business outcome. 
e Change management helps in reducing the risk associated with the change. 
e When a team (or individual) wants to perform a change in the server, they raise a Change Request (CR) 


Change Request Form Template 


ea 
Requested By Name of requestor Date Date request was raised 
Request No Name of Request Brief name of request 


Change Description 


Change Reason Give the justification for the change 


Impact of change 


Proposed Action 


Approved 
Approval Date The date the change was approved or rejected 
Approved By 
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What is Buffer Overflow Vulnerability? 


e Buffer Overflow vulnerability is a weakness in an application that lets an attacker over-run the fixed length 
block of memory. It is possible that attacker might consume the entire memory there by slowing down or 
crashing the server. This leads to Denial of Service attack. 


Example: CVE-2016-6808 - Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. 
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What is Remote Code Execution Vulnerability? 


e Remote Code Evaluation is a vulnerability that when exploited gives the attacker execute commands on the 


compromised server. 


e A Remote Code Evaluation can lead to a full compromise of the server. 


Example: CVE-2019-1238 - VBScript Remote Code Execution Vulnerability 
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If a vulnerability cannot be patched immediately, what has to be done? 


¢ Step up the security for the server 


Like Tighten the configurations on OS, AV, Host Firewall etc. 


e Check with IPS team if there is a signature available to detected if the vulnerability is being exploited, if so 


assign a high severity to it 


e Increasing the level of monitoring on the server. 
Typically done by putting the affected server(s) in a list and writing more sensitive rules. 


Like if the default threshold for Brute-force is 100 attempts in 1 minute. On this server it will be 10 in 1 minute. 
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What are the vulnerabilities you have worked on? 


e [can always recall working on the WannaCry Ransomware Threat. 

e The weakness (vulnerability) was with Microsoft's SMBv1 (MS17-010) 

e Microsoft had already released the patch. 

e We had 800 Windows Servers and around 4000 Windows Client Machines. 

e We were working closely with server/system team and vulnerability management team. 
* Scans were scheduled almost hourly basis on different network segments. 


e Pulling reports on a regular basis. We presented a report to our CISO every 3 hours once for almost 4 days. Till we got 


98% of the machines patched. 
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What is the latest vulnerability you have heard of? 


e Look at the latest vulnerability 

e Get the Vendor, Product and Version of product it is present in. 

e Try to remember the CVE number if possible. 

e Understand how the vulnerability can be exploited. 

e Check if a patch is already available. 

e See if any major attacks have happened because of this vulnerability. 


e Try to relate the vulnerability to your organization. 
Did it affect the company you are working with? 
How did you company handle the vulnerability? 


What teams were involved in patching? 
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Interview Questions on 
Threat Hunting 


What is Threat Hunting? 


Threat hunting is a human-driven, proactive and iterative approach which involves searching through networks 
& endpoints, to detect malicious activities that have evaded detection by existing automated tools. 


Hunting is an offense-based approach that applies adversaries’ tactics and techniques, and adopts their 


mindset when investigating signs of compromise within an organization. 
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Explain Threat Hunting Process. 


The process involves 5 stages 


1 - Hypothesis Generation: The aim of these hypotheses is to find evidence of threats before they are exploited, or even 


ones that are already being exploited. 


2 - Validation of the hypotheses: Once a hypothesis has been defined, its validity needs to be verified. We then need to 
look for the existence of threats that fit this hypothesis. In this stage it is usual for some hypotheses to be discarded, while 


research into others is prioritized due to their likelihood or criticality. 


3 - Finding evidence: From the results obtained in the previous search, we need to verify if a threat really exists. False 


positives and mistakes in configuration are set aside, and efforts are focused on the validated hypotheses. 
4 - Discovery of new patterns: The attack is reconstructed to find any new patterns and tactics used to carry it out. 


5 - Notification and enrichment: Using the knowledge generated during the Threat Hunting process, the automatic 


detection systems are enriched and improved. This way, the organization’s global security is improved. 
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Why should we do Threat Hunting? 


Advantages of threat hunting are as follows: 
e Proactively Uncover Security Incidents 
e Detect the undetected 
e Improve the Speed of Threat Response 
e Reduces False Positives and Improves SOC Efficiency 


e Reduce dwell time. Hunting enables an organization to identify and stop adversaries early in the kill chain stops them 


from reaching their ultimate target. 


e Evict adversaries with minimal business disruption. 
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Difference between Threat Hunting and Threat Detection? 


Threat Detection is a reactive approach. 
Use traditional preventive technologies and monitoring tools to detect a malicious activity. 


Threat detection leads to mitigation. 


Threat Hunting is a proactive approach. 
Detect slow and stealth attacks that would otherwise go unnoticed by preventive technologies. 


Threat hunting leads to threat detection and incident response. 
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What tools do you use for Threat Hunting. 


Few of the threat hunting tools are 
Sqrrl 
Vectra Cognito 
Exabeam Threat hunter 
Endgame 


DNIF 


Other tools that help during threat hunting include 
EDR 
Threat Intelligence 


ELK for analytics 
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Explain the different Threat Hunting Techniques. 


Different thereat hunting techniques are as follows: 


Searching: This is probably the most basic form of threat hunting. With this technique, you are trying to support your 


formulated hypothesis with information and data from a very specific set of defined search criteria 


Clustering: This is more of a quantitative, statistically-based approach to threat hunting. With this technique, the threat 
hunter is attempting to “cluster” similar datasets from a larger pool of data, to find the hidden or unseen trends in these 


datasets 


Grouping: In this scenario, the threat hunter is looking at different (or unique) artifacts that have been discovered and 


identifying them based on the same set of criteria that was used to formulate the original hypothesis 


Stack Counting: This is another type of statistical technique. In this case, the threat hunter ascertains the total number of 


occurrences of a certain dataset by closely examining any sorts of outliers that may exist 
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Explain the OODA Strategy. 


OODA is an abbreviation of Observe, Orient, Decide and Act. Military personnel apply OODA when they carry 
out combat operations. Likewise, threat hunters use OODA during cyberwarfare. In the context of threat 


hunting, OODA works as: 
Observe: A first phase that involves routine data collection from endpoints 


Orient: Understanding the collected data thoroughly and combining this information with other collected 


information to help understand its meaning. 


Decide: Once you have analyzed the information, then you need to identify the course of action. If the incident 


occurs, threat hunters will execute the incident response strategy 


Act: The last phase involves the execution of the plan to put an end to the intrusion and enhance the 


company's security posture. Further measures are taken to prevent the same type of attack in the future 
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What is Diamond Model? 


The Diamond Model emphasis the relationship between basic elements of any malicious activity. 


It has 4 elements 


Ne 


2 
3. 
4 


The Adversary ADVERSARY 
The Victim 
Infrastructure 
Capability. 
All malicious activity contains these elements. 
INFRASTRUCTURE CAPABILITY 
VICTIM 
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What is MITRE ATT&CK? How is it used in Threat Hunting? 


ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge. 
It is a knowledge base of the attacks, the tactics and techniques used and associated APT groups. 


It helps in mapping out an attack in various stages (called Tactics) and methods/tools (called Techniques) used 


at various stages. 


MITRE ATT&CK framework is used by threat hunters 

e To map various attack vectors. 

e Identify the ones that your organization is susceptible to. 
e Build hypothesis around the prioritized techniques. 


e Hunt for the adversaries. 
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Give example of Threat Hunting Hypothesis. 


1. Recognizing suspicious software 
e This is useful in detecting malwares. 
e Look for Event ID 4688. Also use sysmon to enable logging of all process start and termination. 
e Make alist of all standard processes that run in the network. 
e Use process Hashes (some malwares can run with legit process names (like notepad.exe) 


2. Detecting Command and Control Communication 
e Malware communicate back to C2 servers for exfiltration data or get further instructions for the attack. 


e They typically use common port number to avoid detection. But we can check for various combination of communication channels 
like: 
* Common Port & Common Protocol 
* Common Port & Uncommon Protocol 
e Uncommon Port & Common Protocol 
* Uncommon Port & Uncommon Protocol 
e Hypothesis: Attackers may be operating on a C2 channel that uses a common protocol on a common network port 


e Look for unique artifacts pertinent to the protocol you are interested in. For example, if you are interested in identifying C2 in HTTP traffic, then you 
might consider looking for anomalous domains/URLs/User-Agent strings. 


e Dataset to use: 
e HIPS logs 
e Firewall Logs 
e Proxy Logs 
e DNS Logs 
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Example of Threat Hunting Hypothesis. 


3. Hunting for Internal Reconnaissance 


Hypothesis: An attacker conducting internal reconnaissance would attempt to carry out host enumeration and 
automate these commands with a script 


Look for these commands to be spawned by a script: 
e whoami 
net user 
useraccount (WMIC) 
Get-NetIPConfiguration (PowerShell) 
hostname 
e ipconfig 
nicconfig (WMIC) 


Dataset to use: 
Process Names 
Process Hashes 


More cybersecurity interview questions & answers @ https://bit.ly/ag-soc-qna BY 


ana 


What makes a person good at Threat Hunting? 


e Good understanding of various attack vectors (TTPs in ATT&CK framework) 

e Hypothetical thinking: the ability to hypothesize threat attacks, source vectors, and organizational impact 
e Good knowledge of organization infrastructure 

e Good at pattern recognition 

e Being aware of latest attack techniques 

e Data Analytics 


e Basic scripting knowledge for automation 
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How do you measure effectiveness of Threat Hunting? 


Few of the key metrics in measuring effectiveness of threat hunting include: 


Number of incidents by severity 

False positive rate of transitioned hunts 

Dwell time of any incidents discovered 
Number of detection gaps identified and fixed 
Logging gaps identified and corrected 
Insecure practices identified and corrected 
Number of hunts transitioned to new analytics 


Any new visibility gained 
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